Disable or Modify Tools × CrowdStrike Falcon Sensor

A publicly-reported instance of Disable or Modify Tools bypassing CrowdStrike Falcon Sensor, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon Sensor

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

patched

Disclosed

2025-03-06

Config / version noted

Not stated

Provenance

securityaid.co.uk
disclosed 2025-03-06 · original source · via raw

Reported as

CrowdStrike Falcon Sensor processes could be suspended by an attacker with SYSTEM privileges, allowing malicious applications to execute undetected.

Mechanism

An attacker with NT AUTHORITY\SYSTEM permissions uses Process Explorer to suspend CrowdStrike Falcon Sensor user-mode processes. Suspension is permitted while termination is blocked, creating a window where malicious applications execute without detection. Kernel components remain active, so some hooked actions (e.g., LSASS dumps) still trigger protection, but many malicious tools run freely.

Detection & mitigation

Monitor for process suspension events targeting CrowdStrike Falcon Sensor processes (e.g., via Sysmon Event ID 5 or Windows Security Event 4688 with Process Explorer). Implement endpoint detection rules to alert on suspension of security product processes. Ensure Falcon Sensor is updated to the latest version that prevents suspension.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.