Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Endpoint Security

Research Shows How Attackers Can Abuse EDR Security Products

Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool.

Endpoint detection and response (EDR) solutions can potentially be repurposed to become malicious offensive tools, a SafeBreach security researcher has demonstrated.

Designed to protect devices from malware and various other types of threats, EDR solutions run with high privileges, and their potential compromise would provide threat actors with persistent, stealth access to victim devices.

Looking to prove that this is indeed possible, SafeBreach security researcher Shmuel Cohen dissected the inner workings of Palo Alto Networks’ Cortex extended detection and response (XDR) platform to identify weaknesses that could allow him to abuse the security tool. The issues were addressed by the vendor several months ago.

His incursion revealed that Cortex XDR’s behavior allowed an attacker to bypass file anti-tampering protection to deploy and run file-encrypting ransomware and even load a vulnerable driver to prevent the removal of Cortex XDR using the administrator’s uninstall password.

Furthermore, the researcher found a method of injecting malicious code into one of the security solution’s processes, allowing him to execute code with high privileges, while remaining undetected.

Cortex XDR, Cohen discovered, relied on a series of policy rules and text-based Lua and Python files for configuration, which allowed the researcher to tamper with its normal functions to perform malicious actions.

The ransomware protection functionality, for example, would use honeypot files scattered throughout folders to detect when malware attempts to modify them, and a mini-filter driver to hide those files.

However, the security platform also stores a list of legitimate processes that should not be able to view those files, and Cohen was able to deploy file-encrypting ransomware by simply renaming the malware using a name on the exclusion list.

Advertisement. Scroll to continue reading.

Similarly, the researcher was able to dump the memory of the LSASS process by identifying prevention rules and allowed processes defined within Cortex XDR’s configuration files and renaming the memory dump program based on these.

Next, the researcher discovered that the Cortex XDR’s anti-tampering protections could be bypassed by hard-linking to a protected targeted file, which allowed him to load a vulnerable driver and then trick the solution into loading it.

The driver Cohen opted for allowed a user-mode process to read/write into kernel memory and elevate privileges, and the researcher used it to patch the management password verification in Cortex so that any password would work. He could also set it so that no password would work, thus preventing the removal of Cortex if the application was disconnected from the management server.

Finally, Cohen also discovered that it was possible to modify Lua rules to crash cyserver – the main XDR process – and that the security solution used Python files that could be injected with malicious code and then loaded into one of the application’s processes by crashing cyserver.

“I modified the Python main service script, caused cyserver to crash, then immediately turn it back on. This caused my code to run, giving me backdoor access to the machine with NT/system permissions—one of the highest privileges possible. Because my malware was inside cyserver and would run from one of its processes, it was undetectable, stealthy, persistent, and high-privileged,” Cohen explains.

The research, Cohen points out, shows that attacks breaching any EDR solution, which act as the highest guardians on a system, could provide threat actors with powerful capabilities likely to go undetected and unblocked.

He also notes that security products should closely guard the logic behind the detection processes, and should encrypt and digitally sign content files, to prevent tampering. Furthermore, processes should be added to allowlists or blocklists based on multiple parameters that an attacker should not be able to modify.

The researcher reported the issues to Palo Alto Networks roughly 10 months ago and the security firm addressed them “through automatic content updates”.

Related: Flaws in Avast, AVG Antiviruses Could Have Facilitated Attacks on Millions of Devices

Related: Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode

Related: Researchers Turn Antivirus Software Into Destructive Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights