Disable or Modify Tools × Palo Alto Networks Cortex XDR

A publicly-reported instance of Disable or Modify Tools bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-07-07

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-07-07 · original source · via exa

Reported as

The tool requires local administrator privileges and can target specific EDR products like Cortex XDR and Windows Event Forwarding.

Mechanism

The tool leverages the Windows Filtering Platform (WFP) to create persistent or non-persistent firewall rules that block outbound traffic from the endpoint to known EDR cloud IP addresses and ports. It can automatically extract proxy configurations for Cortex XDR and Windows Event Collector (WEC) settings from the registry to generate blocking rules. By preventing the EDR agent from sending telemetry, alerts, and logs to the cloud, the tool effectively blinds the security monitoring without disabling or tampering with the agent itself.

Detection & mitigation

Monitor for unexpected WFP filter additions or changes via Event ID 5157 (Windows Filtering Platform) and registry access to EDR proxy/WEC settings. Enforce least privilege to prevent local admin abuse and deploy EDR tamper protection to block unauthorized firewall rule creation.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.