Forensic Tool’s Signed Driver Exploited as EDR Killer

Cybersecurity researchers have uncovered a sophisticated attack where hackers are exploiting a revoked but still functional driver from a legitimate forensic software suite to disable endpoint security tools. This malicious utility, known as an EDR killer, is designed to bypass or deactivate endpoint detection and response (EDR) and antivirus software. The attackers achieved this by leveraging a decades-old kernel driver from the EnCase forensic tool, which retains its validity on Windows systems despite its certificate being expired and revoked. This incident underscores the persistent threat of Bring Your Own Vulnerable Driver (BYOVD) techniques, where attackers use signed but flawed drivers to gain deep system access.

The investigation began when security analysts responded to a breach where the perpetrators gained initial access through compromised credentials for a SonicWall SSL VPN. The targeted organization had not enabled multi-factor authentication for this critical remote access point, allowing the attackers to enter the network unimpeded. Once inside, they conducted extensive internal reconnaissance, using methods like ICMP ping sweeps and high-volume SYN flooding to map the environment and identify valuable targets.

The core of this intrusion was a custom-built EDR killer disguised as a firmware update tool. This malicious executable abuses an old EnCase kernel driver file named ‘EnPortv.sys.’ The driver’s digital certificate was issued in 2006 and expired in 2010, with the issuing authority later revoking it. However, Windows Driver Signature Enforcement does not actively check Certificate Revocation Lists (CRLs) during validation. Instead, it relies on verifying cryptographic signatures and timestamps. Consequently, the operating system continues to accept the outdated, revoked certificate as legitimate.

Furthermore, while Microsoft later mandated that kernel drivers for Windows 10 must be signed through its Hardware Dev Center, an important exception exists. Certificates issued before July 29, 2015, are grandfathered in, which applies to the driver used in this attack. The malware installs this driver and registers it as a fake OEM hardware service, creating a persistence mechanism that survives system reboots.

With the driver in place at the kernel level, the EDR killer uses its input/output control (IOCTL) interface to carry out its primary function. It systematically terminates processes associated with security software, cleverly bypassing protections like Protected Process Light (PPL). The tool maintains a target list of 59 distinct processes related to various EDR and antivirus products. It runs a continuous kill loop, checking every second to immediately terminate any of these processes if they are restarted, effectively crippling the host’s defenses.

Although the final stage of the attack was interrupted, evidence strongly suggests the end goal was ransomware deployment. To defend against similar threats, experts emphasize several critical measures. Enabling multi-factor authentication on all remote access services is a fundamental first step. Organizations should also rigorously monitor VPN logs for unusual activity and enable security features like Hypervisor-Protected Code Integrity (HVCI) or Memory Integrity to enforce Microsoft’s vulnerable driver blocklist.

Additional recommendations include vigilant monitoring for kernel services that may be masquerading as OEM or hardware components. Deploying Windows Defender Application Control (WDAC) policies and Attack Surface Reduction (ASR) rules can also help block known vulnerable signed drivers, adding crucial layers of defense against these increasingly common BYOVD attacks.

(Source: Bleeping Computer)