Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: edr-bypass (2 articles)Clear

macOS trust-caching gap lets standard users silently disable EDR and MDM

Researchers at XM Cyber detailed a macOS technique that lets an attacker with only standard user privileges disable enterprise security tools and call privileged functions, with no admin credentials, kernel exploit, or alerts. It abuses how macOS caches an application's code signature: once cached, the system keeps trusting the app even after an attacker modifies its components, letting a normal user impersonate trusted code and reach privileged XPC services by injecting into interface files. The team showed it disabling CrowdStrike Falcon and Kandji's MDM agent. CrowdStrike and Kandji have fixed their products, with Kandji assigning CVE-2026-39118, but XM Cyber frames the root cause as a flaw in macOS itself.

Check
Confirm that macOS endpoint security and management agents, such as EDR and MDM, are updated to versions that address this technique, and identify any third-party macOS apps exposing privileged XPC services.
Affected
Organizations relying on macOS endpoint protection and MDM; any app exposing privileged XPC services with injectable interface files can be abused by a standard user to escalate and disable defenses.
Fix
Update CrowdStrike, Kandji, and other macOS security agents to patched versions, monitor for tampering with security tools, and apply Apple updates as they address the underlying trust-caching weakness.

GhostLock proof-of-concept abuses Windows file-sharing API to disrupt file access without encryption

A researcher at Israel Aerospace Industries published a proof-of-concept tool called GhostLock that uses a legitimate Windows API call to make files unreadable without encrypting anything. The technique abuses the dwShareMode parameter of CreateFileW - setting it to 0 grants the calling process exclusive access, so every other user or app trying to open the file gets a sharing violation. GhostLock automates this recursively across SMB shares from a standard domain user account, no elevation required. Researcher Kim Dvash frames it as a disruption attack, not destructive - data is not lost, but operational downtime can mirror a ransomware incident.

Check
Review your EDR and SIEM detection rules for behavior-based ransomware indicators. Verify they cover sharing-violation spikes and ShareAccess=0 file-open counts, not just mass file write or encryption activity.
Affected
Windows file servers and SMB shares in environments where any standard domain user account can authenticate. No CVE has been assigned - GhostLock abuses intended Windows file-sharing behavior, not a flaw. Behavioral detection systems focused on mass writes or encryption operations will not flag this attack pattern; the attack also requires no elevation.
Fix
Implement detection at the file server layer: monitor per-session open-file counts with ShareAccess=0 - the reliable signal Dvash identifies, which lives in storage platform management interfaces, not Windows event logs or EDR telemetry. Pull the SIEM queries and NDR rule from the GhostLock whitepaper as a detection template. Limit which domain user accounts have read or write access to critical shares.