Hackers are abusing a legitimate but long-revoked EnCase kernel driver in an EDR killer that can detect 59 security tools in attempts to deactivate them.
An EDR killer is a malicious tool created specifically to bypass or disable endpoint detection and response (EDR) tools, along with other security solutions. They typically use vulnerable drivers to unhook the protections on the system.
Usually, attackers rely on the ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique, where they introduce a legitimate but vulnerable driver and use it to gain kernel-level access and terminate security software processes.
The technique is well-documented and very popular, but despite Microsoft introducing various defenses over the years, Windows systems are still vulnerable to effective bypasses.
Encase is a digital investigation tool used in law enforcement forensic operations that enables extracting and analyzing data from computers, mobile devices, or cloud storage.
Huntress researchers responding to a cybersecurity incident earlier this month noticed the deployment of a custom EDR killer that was disguised as a legitimate firmware update utility and used an old kernel driver.
The attackers breached the network using compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA) for the VPN account.
After logging in, the attackers performed aggressive internal reconnaissance, including ICMP ping sweeps, NetBIOS name probes, and SMB-related activity, SYN flooding exceeding 370 SYNs/sec.
The EDR killer used in this case is a 64-bit executable that abuses ‘EnPortv.sys,’ an old EnCase kernel driver, to disable security tools running on the host system.
The driver's certificate was issued in 2006, expired in 2010, and was subsequently revoked; however, because the Driver Signature Enforcement system on Windows works by validating cryptographic verification results and timestamps, rather than checking Certificate Revocation Lists (CRLs), the operating system still accepts the old certificate.
... continue reading