Disable or Modify Tools × Palo Alto Networks Cortex XDR Agent

A publicly-reported instance of Disable or Modify Tools bypassing Palo Alto Networks Cortex XDR Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR Agent

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Medium

Status

poc

Disclosed

2025-03-19

Config / version noted

Not stated

Provenance

security.paloaltonetworks.com
disclosed 2025-04-09 · original source · via exa
cybercx.com.au
disclosed 2025-03-19 · original source · via exa
www.redpacketsecurity.com
disclosed 2025-04-09 · original source · via exa
www.redpacketsecurity.com
disclosed 2025-04-09 · original source · via exa

Reported as

A null pointer dereference in the Cortex XDR agent can be triggered by a local low-privileged user, causing the agent to crash. This disables the endpoint detection capability, allowing malware to operate undetected.

Mechanism

Detection & mitigation

Monitor for unexpected termination of Cortex XDR agent processes (e.g., cyserver.exe) using Windows Event ID 4689 or Sysmon Event ID 5. Mitigate by applying vendor patches (8.6.1, 8.5.2, or later hotfixes) and enforcing agent tamper protection policies.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.