Why a decade-old EnCase driver still works as an EDR killer
Attackers are leaning on a new EDR killer malware that can shut down 59 widely used endpoint security products by misusing a kernel driver that once shipped with Guidance Software’s EnCase digital forensics tool, Huntress researchers warn.
This particular driver is legitimate but its certificate expired and was revoked more than ten years ago. Even so, Windows still allows it to load.
The attack
Huntress’ security experts spotted this intrusion earlier this month, and discovered that the attackers:
- Gained access to the victim organization’s network by successfully authenticating to the SonicWall SSLVPN with previously compromised credentials
- Performed network reconnaissance
- Loaded the EDR killer, with the vulnerable kernel driver embedded in it
A custom encoding scheme hides the encoded driver from security solutions.
After decoding the driver, the malware writes it to disk under a path that looks like a legitimate OEM component, hides the file, and copies timestamps from a real system file so it blends in. It then registers the driver as a Windows kernel service to ensure it loads on every reboot.
“Once loaded, the driver exposes an IOCTL interface that allows usermode processes to terminate arbitrary processes directly from kernel mode. This bypasses all usermode protections, including Protected Process Light (PPL) that typically guards critical system processes and EDR agents,” the researchers explained.
Why BYOVD still works on modern Windows systems
The Bring Your Own Vulnerable Driver (BYOVD) technique is a way for attackers to gain deep system access by abusing trusted but flawed Windows drivers. Instead of writing their own malicious driver, they bring along a legitimate one that was originally created by a hardware vendor or software company.
Once the vulnerable driver is running in the kernel, attackers can use its bugs or exposed functions to, for example, kill security processes, disable protections, or read and write directly to memory.
Defenders have known about BYOVD for years, but stopping it at scale is difficult.
Windows’ Driver Signature Enforcement (DSE) feature is good at spotting unsigned or tampered kernel drivers, but the kernel does not check Certificate Revocation Lists.
“This limitation exists for practical reasons: drivers load early in the boot process before network services are available, and CRL checks would significantly impact boot performance. Even when a CRL is manually imported into local certificate storage, the kernel bypasses this check entirely,” the researchers explained.
Instead, Microsoft has decided that it would create and constantly update the Vulnerable Driver Blocklist, with comes with an obvious drawback: only known-bad drivers are on it, which means that attackers have a window of opportunity until the driver they use ends up on it.
In addition to all this, Microsoft allows for exceptions to maintain backward compatibility.
“Drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed certificate authority] are still permitted to load,” the researchers noted.
“The EnCase driver’s certificate was issued on December 15, 2006, well before this cutoff.”
Blocking vulnerable drivers
Huntress believe that the attackers’ ultimate goal was to deploy ransomware on the target organization’s computers, but the attack was thwarted in the preparation stage.
They advise organizations to enable multi-factor authentication on all remote access services and review VPN logs for suspicious activity.
Defenders should also turn on Memory Integrity so Microsoft’s Vulnerable Driver Blocklist is enforced, monitor for suspicious services that mimic legitimate hardware components, and use Windows Defender Application Control and Attack Surface Reduction rules to prevent known vulnerable drivers to be loaded and exploited.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!