Palo Alto Networks Security Advisories / PAN-SA-2024-0005

PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent


Informational

Description

The Palo Alto Networks Product Security Assurance team is aware of research presented by SafeBreach entitled "The Dark Side of EDR", describing a specifically crafted proof of concept (PoC) that bypasses Cortex XDR agent endpoint protection modules. Practical attack scenarios require administrative privileges to perform this bypass.

The technique presented is detected and blocked in agents with CU-1320 and later content updates. This issue does not represent a product vulnerability risk to customers using Cortex XDR agent. This issue is not applicable to Mac OS and Linux platforms.

Product Status

VersionsAffectedUnaffected
Cortex XDR Agent 8.4< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 8.3< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 8.2< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 8.1< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 8.0< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 7.9< Agents with content update earlier than CU-1320 on Windows>= Agents with CU-1320 or a later content update on Windows
Cortex XDR Agent 5.0All agents on Windows

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Solution

Cortex XDR agent content update CU-1320 detects and prevents this technique.

No updates are planned for Cortex XDR agent 5.0 as it does not have the relevant Behavioral Threat Protection module required to detect this technique.

Acknowledgments

Palo Alto Networks thanks Shmuel Cohen of SafeBreach for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.