Cybersecurity researchers have found a serious way for attackers to get around behavioral detections in Palo Alto Networks' Cortex XDR. They can do this by decrypting and misusing protected detection rules. The results show that the platform's Behavioral Indicators of Compromise (BIOC) rules are not well protected or put into action.

Hidden Weakness in BIOC Protection Cortex XDR, like many endpoint detection and response (EDR) solutions, relies heavily on BIOC rules to find bad behavior based on what the system is doing instead of signatures. These rules are written in the CLIPS programming language and are sent to endpoints every now and then through content updates. Palo Alto encrypts these rules before storing them on endpoints to keep people from changing them or figuring out how to reverse engineer them.

Researchers noticed that the Cortex XDR agent versions 8.7 and 8.8 didn't always detect things correctly during a red team engagement. This made them want to learn more about how these rules work inside the system. Researchers figured out how the agent handles updates and found that the encrypted BIOC rules could be accessed and decrypted, revealing their logic.

Infoguard researchers did a lot of work to find out that the encryption that protected BIOC rules used AES-256-CBC with a static key structure. The decryption process could be reliably repeated because the key derivation method stayed the same in all environments. The researchers were able to get plaintext rules by using a multi-step process: Finding encrypted rule files in the directories for local content updates. Using ProcMon to keep an eye on file access and execution flows to find the right functions in the cysvc.dll module.

Using WinDBG to debug the kernel to get around Cortex XDR's self-protection features. Taking the decryption routine out of memory and dumping the CLIPS-based rules in plain text. This process made it possible to see the detection logic that is usually hidden from customers and defenders.

Whitelist for the whole world Allows Evasion When decrypted, the BIOC rules showed many hardcoded exceptions that were meant to cut down on false positives. Researchers found a key global whitelist condition that could be misused to get around it. The rule told the agent to ignore any processes that had a certain string in their command-line arguments. By adding a path that looks harmless, like :\Windows\ccmcache,Attackers could successfully evade detection for numerous malicious activities.

One example showed how to dump credentials from the LSASS process using common tools.

The activity got around Cortex XDR protections by changing the command-line arguments to include the whitelisted string, even though it matched known malicious behavior patterns. Palo Alto Networks fixed the problem in late February 2026 after it was responsibly reported. The vendor took out the exploitable global whitelist conditions and changed the way the encryption key is derived to make it harder to decrypt rules.

Companies should do the following: You need to upgrade to version 9.1 or later of the Cortex XDR Agent. Make sure that the versions of the content updates are 2160 or higher. Use adversarial testing and red teaming to keep checking that detection works. In Google, make ZeroOwl your preferred source.