Index / Tamper-Protection Bypass / Palo Alto Networks
Bypass Record

Tamper-Protection Bypass × Palo Alto Networks Cortex XDR

A publicly-reported instance of Tamper-Protection Bypass bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
Palo Alto Networks Cortex XDR
Technique
Tamper-Protection Bypass
MITRE ATT&CK
T1562.001
Confidence
High
Severity
Critical
Status
poc
Disclosed
2024-04-19
Config / version noted
Not stated

Provenance

Reported as

bypassing its anti-tampering mechanism and modifying plaintext Lua rule files

Mechanism

The attacker uses a hard link to redirect file access, bypassing folder-level anti-tampering protection to edit plaintext Lua rule files. By removing rules and triggering a reload, a vulnerable driver is loaded, granting full control. The XDR's password is changed to prevent removal, and communication to servers is blocked while the agent appears operational.

Detection & mitigation

Monitor for unexpected modifications to Cortex XDR Lua rule files (e.g., via file integrity monitoring on the agent's content directory) and alert on hard link creation targeting protected paths. Enforce strict access controls and apply vendor patches to prevent anti-tampering bypass.

Tamper-Protection Bypass has also been recorded against

AppSealingArxanBeyondTrustBroadcom (Symantec)ByfronCrowdStrikeDANAElasticFireEyeKemcoLoGiC.NETMcAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.