Cytool is a command-line interface (CLI) that is integrated into the Cortex XDR agent and enables you to query and manage both basic and advanced functions of the agent. Any changes you make using Cytool are active until the agent receives the next heartbeat communication from Cortex XDR.
On Windows endpoints, you can access Cytool using a Microsoft command prompt that you run as an administrator. Cytool is located in the
C:\Program Files\Palo Alto Networks\Traps folder on the endpoint.
The following table displays the Cytool options available on Windows endpoints. Where there is a password required for admin commands, this is the same password as was defined as the Uninstall Password.
Since the Cortex XDR agent 7.6 release for Windows, the cyserver.exe process includes and replaces the previous CyveraService.exe, tlaservice.exe, and twdservice.exe high-privileged processes.
Adaptive policy agent commands
Initiate check-in to the server.
To verify the checkin, view the check-in time on the agent console.
Display EDR stats collected on the endpoint.
Use Endpoint Tags to identify groups of endpoints.
Where action can be:
Tags should be passed as one string, separated by commas, and with no spaces.
Enumerate protected processes.
If you change the action mode for protected processes in the Exploit Security Profile in Cortex XDR, you must restart the protected processes for the security policy to be enforced on the processes and its forked processes, and only then you will see them on this list.
Perform event collection (EDR/DSE) operations.
Where <operation> can be:
Display information about a PE file (executable or DLL).
C:\Program Files\Palo Alto Networks\Traps> cytool image json.dll Image Information Location: json.dll Size: 176.98 KB (181224 bytes) File SHA256: a46b8e1ad9a808fb09e7b79bd03b66a611d0c7aa71291c216be555af14d16421 Architecture: x86-64 Subsystem: Windows GUI PE Size: 156.00 KB (159744 bytes) PE SHA256: 8cbca46419bf7260c99aaa3c73a6944e97f5c5b053a8b88e9a17367439b08d7d
Prepare a golden image by submitting files for cloud analysis and generate a threats report.
C:\Program Files\Palo Alto Networks\Traps> cytool imageprep scan timeout 4 upload 60 path c:\report Start Time : 17:56:46 Elapsed Time : 00:04:17 State : Running Scanned Files : 5427 Suspicious Files : 0 Failed Files : 9 Volume Root Path : \\?\C:\ Window Usage : 0 236 20000 Path : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5 Scan completed successfully Complete report can be found at: C:\report\imageprep_2019-03-06_08-59-30.xml
Display general Cortex XDR agent information.
Release endpoint from network isolation.
Display the time of the last successful check-in.
Set log level for the desired process/Generate support file archive.
<log_level>—An integer value corresponding to the log level:
<Components> can be
Stop or query payload execution status. Relates to Live Terminal and script execution.
The Cortex XDR agent stores policy and security event information, such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database.
Where <action> can be:
To view a list of all local databases, use the
Query or compare the applied policy for a process.
Note: If an image name is specified, a new policy is generated as if the process was created. If a process ID is specified, the system queries the effective policy for the running process.
To query the policy for future executions of notepad.exe:
C:\Program Files\Palo Alto Networks\Traps> cytool policy query notepad.exe Enter supervisor password: Generic Enable 0x00000001 LongHooks 0x00000000 StaticHooks 0x00000000 NoCallSplitting 0x00000000 InitSecurityCookie 0x00000000 DontInjectThinApp 0x00000001 LeanInjection 0x00000000 B01 Enable 0x00000000 BlockAPI 0x00000000 [...]
To compare the policy for future executions of notepad.exe to the default policy:
C:\Program Files\Palo Alto Networks\Traps> cytool policy compare notepad.exe default Enter supervisor password: Generic Enable 0x00000001 0x00000001 LongHooks 0x00000000 0x00000000 StaticHooks 0x00000000 0x00000000 NoCallSplitting 0x00000000 0x00000000 InitSecurityCookie 0x00000000 0x00000000 DontInjectThinApp 0x00000001 0x00000001 LeanInjection 0x00000000 0x00000000 B01 Enable 0x00000000 0x00000000 BlockAPI 0x00000000 0x00000000 [...]
Query the policy of process with ID 1337.
Compare notepad's and process ID 1337 policies.
Enable or disable a protection feature.
Usage: cytool protect
To disable registry protection,
To enable all protection,
To set protection according to policy,
Any protection state change made by Cytool persists until the next reboot and is set according to the policy one hour after reboot.
Set or query cloud-defined proxies for the agent.
View and restore quarantined files.
Try reconnecting to the server if communication has been disabled, or force registration with a new distribution_id.
Stop or start product components.
C:\Program Files\Palo Alto Networks\Traps>cytool runtime stop cyserver cyverak Enter supervisor password: Service State cyverak Stopped cyvrmtgn Running cyvrfsfd Running cyserver Stopped
C:\Program Files\Palo Alto Networks\Traps> cytool scan start Enter supervisor password: The operation completed successfully. C:\Program Files\Palo Alto Networks\Traps> cytool scan query Enter supervisor password: Start Time : 9:09:0648 Elapsed Time : 00:00:51 State : Running Scanned Files : 3944 Suspicious Files : 0 Failed Files : 1\?\C:\ Volume Root Path : \\?\C:\ 8 20000 Window Usage : 0 14 20000 Path : ...