EnCase Driver Weaponized as EDR Killers Persist

Steven

EnCase Driver Weaponized as EDR Killers Persist

Summary

Researchers at Huntress analysed an intrusion in which threat actors weaponised an old EnCase Windows kernel driver to terminate security products across a network. Although the driver’s signing certificate expired and was revoked in 2010, Windows still allowed it to load due to legacy signing exceptions and the lack of runtime certificate revocation checks. The attacker bundled the driver into a disguised executable, used a wordlist substitution cipher for obfuscation, and targeted dozens of EDR/antivirus processes. Huntress disrupted the attack before ransomware was deployed and published mitigation guidance.

Key Points

  • Threat actors used a bring-your-own-vulnerable-driver (BYOVD) technique, weaponising EnCase’s kernel driver to kill EDR agents.
  • The EnCase driver’s signing certificate expired in 2010 and was revoked, yet Windows still loads pre-2015-signed drivers for compatibility.
  • Windows does not perform certificate revocation checks for drivers during early boot, creating an exploitable gap.
  • The attacker obfuscated the driver with a custom wordlist substitution cipher to evade static analysis.
  • The binary contained a list of 59 targeted security processes (major vendors), though Huntress’s agent was not targeted.
  • Detection was achieved via Huntress EDR and SIEM correlation with stolen SonicWall VPN credentials; MFA absence aided initial access.
  • Recommended mitigations: enforce MFA on VPNs, review VPN logs, implement Microsoft-recommended driver block rules via WDAC, and enable HVCI.

Content Summary

The intrusion began with compromised SonicWall SSL VPN credentials. The attacker deployed a 64-bit executable masquerading as a firmware update; it carried the EnCase kernel driver and used an English-word substitution cipher to hide the payload. Once loaded, the driver attempted to terminate numerous security processes — a classic EDR-killer move — exploiting Windows’ exception that allows drivers signed before 29 July 2015 to load without modern vetting. Huntress detected the activity, halted the attack before ransomware deployment, and dissected the tool and attack chain.

Huntress highlighted meaningful limitations in Driver Signature Enforcement: the practical need to avoid early-boot CRL checks and Microsoft’s backward-compatibility policy together leave a persistent avenue for attackers. They also noted attackers may forge timestamps on malicious drivers to appear pre-2015-signed. Suggested defensive measures include applying Microsoft’s driver block rules via WDAC, enabling Hypervisor-protected Code Integrity (HVCI), and considering post-boot or cached CRL validation approaches where feasible.

Context and Relevance

This story sits squarely in an ongoing trend: adversaries increasingly leverage legitimate or legacy-signed drivers to bypass endpoint defences. The piece matters to organisations that rely on EDR and legacy drivers because it shows a practical exploitation path that avoids submitting drivers to Microsoft and evades static scanning through novel obfuscation. It also reinforces that VPN credential hygiene (MFA, log monitoring) and platform-level controls (WDAC, HVCI) are essential layers in modern defence-in-depth.

Why should I read this

Short version: if you look after endpoints, VPNs, or incident response, read it now. It’s a neat checklist of why legacy drivers are dangerous, how attackers hide payloads, and what straightforward fixes (MFA, WDAC, HVCI) actually help. Saves you the time of digging through the Huntress blog yourself and gives practical steps to reduce risk.

Source

Source: https://www.darkreading.com/threat-intelligence/encase-driver-weaponized-edr-killers-persist