Attackers abused a signed but long-revoked EnCase Windows kernel driver in a BYOVD attack to terminate all security tools.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Attackers exploited a legitimate but vulnerable EnCase forensic driver from 2010 in a BYOVD (Bring Your Own Vulnerable Driver) attack to terminate EDR security tools. The attack began with compromised SonicWall VPN credentials and deployed a custom EDR killer binary that loaded the signed driver to gain kernel-level access. Windows still loads the driver despite its expired and revoked certificate due to legacy timestamp validation behavior. The malware targeted 59 security processes, continuously terminating them to blind endpoint defenses. Huntress recommends enabling Microsoft's Vulnerable Driver Blocklist, enforcing MFA on remote access, and implementing HVCI to prevent similar attacks.

Attackers exploit decade‑old Windows driver flaw to shut down modern EDR defenses