{"id":6859,"date":"2026-02-05T12:08:41","date_gmt":"2026-02-05T12:08:41","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6859"},"modified":"2026-02-05T12:08:41","modified_gmt":"2026-02-05T12:08:41","slug":"attackers-exploit-decade%e2%80%91old-windows-driver-flaw-to-shut-down-modern-edr-defenses","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6859","title":{"rendered":"Attackers exploit decade\u2011old Windows driver flaw to shut down modern EDR defenses"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a recent incident, attackers abused a legitimate but vulnerable Windows kernel driver to shut down endpoint security tools during an ongoing incident response.<\/p>\n<p>According to a Huntress report, the activity was observed during a customer investigation in early 2026 and involved the use of an old EnCase forensic driver (by Guidance Software) as part of the Bring Your Own Vulnerable Driver (<a href=\"https:\/\/www.csoonline.com\/article\/3600750\/infostealers-are-using-byovd-to-steal-critical-system-data.html\" target=\"_blank\" rel=\"noopener\">BYOVD<\/a>) technique to terminate Endpoint Detection and Response (<a href=\"https:\/\/www.csoonline.com\/article\/568045\/what-is-edr-endpoint-detection-and-response.html\" target=\"_blank\" rel=\"noopener\">EDR<\/a>) processes from kernel mode.<\/p>\n<p>The intrusion began with compromised SonicWall SSL VPN credentials, after which the attacker conducted internal reconnaissance and deployed a custom \u201cEDR killer\u201d binary.<\/p>\n<p>\u201cThe attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security,\u201d Huntress researchers said in a blog post. \u201cThe EnCase driver\u2019s certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit.\u201d<\/p>\n<p>Microsoft did not immediately respond to CSO\u2019s request for comments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The BYOVD abuse<\/h2>\n<p>According to the researchers, the attack used a common technique of abusing a legitimate signed driver that already has kernel-level privileges. This gave the attackers direct, high-privilege access to the kernel, effectively allowing them to terminate almost any process they want, including security tooling.<\/p>\n<p>Windows\u2019 Driver Signature Enforcement, the policy requiring all kernel-mode drivers to be digitally signed by a trusted Certificate Authority (CA), doesn\u2019t check certificate revocation lists at kernel load time. Researchers noted this to be a legacy behavior that remains exploitable because of backward compatibility features introduced years ago that allow an exception for drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed CA.<\/p>\n<p>The EnCase driver contains a timestamp from a VeriSign service, which the authentication check still considers valid. \u201cWhen code is signed with a timestamp, Windows validates the signature against the time the signature was created, not the current date,\u201d the researchers noted. \u201cBecause the driver was timestamped while the certificate was still valid (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/install\/deprecation-of-software-publisher-certificates-and-commercial-release-certificates\" target=\"_blank\" rel=\"noopener\">before January 31, 2010<\/a>), the signature remains valid indefinitely, even though the certificate has since expired.\u201d<\/p>\n<p>Once in the kernel, the driver exposes an IOCTL interface that lets the malware terminate arbitrary processes with full system privileges. Among the functionality exposed are process termination commands that bypass user-mode safeguards for Protected Process Light (PPL) processes, the defenses EDR systems depend on to avoid tampering.<\/p>\n<h2 class=\"wp-block-heading\">The kill list excluded Huntress<\/h2>\n<p>The EDR killer binary used in the Huntress-observed attack packed a 64-bit Windows executable and a custom encoded kernel driver payload, which it decoded into OemHwUpd.sys and installed as a kernel-mode service. Because Windows still honors its cryptographic signature, the attackers were able to load the driver.<\/p>\n<p>Once the vulnerable driver was in place, the EDR killer compiled an internal list of 59 well-known security tool processes, hashing their names and continuously checking for their presence on the system. \u201cThe kill loop runs continuously with a 1-second sleep interval, ensuring any security process that restarts is immediately terminated again,\u201d the researchers said.<\/p>\n<p>Incidentally, Huntress said it wasn\u2019t on the kill list. \u201cWhile the EDR killer targets nearly every major EDR and AV vendor on the market, the Huntress agent was not among the 59 processes targeted for termination,\u201d it added. Once the driver was written to disk, the binary established persistence by registering it as a Windows kernel service.<\/p>\n<p>Huntress recommended enabling Microsoft\u2019s Vulnerable Driver Blocklist on all supported Windows systems to prevent known abused drivers from loading. The researchers also advised enforcing strong access controls on remote access services, including MFA for VPNs such as SonicWall, and closely monitoring for suspicious driver installation activity. Where possible, organizations are also encouraged to enable virtualization-based security features like Hypervisor-protected Code Integrity (HVCI) to further restrict kernel-mode abuse.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a recent incident, attackers abused a legitimate but vulnerable Windows kernel driver to shut down endpoint security tools during an ongoing incident response. According to a Huntress report, the activity was observed during a customer investigation in early 2026 and involved the use of an old EnCase forensic driver (by Guidance Software) as part [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6860,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6859","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6859"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6859"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6859\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6860"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}