Attackers Abuse Revoked EnCase Driver in BYOVD “EDR Killer” to Disable Endpoint Security After SonicWall VPN Breach

CyberDefender 10 mins0

In early February 2026, Huntress responded to a sophisticated intrusion where attackers gained initial access through compromised SonicWall SSLVPN credentials and then deployed a custom endpoint security disabling tool that abused a legitimate but revoked EnCase kernel-mode driver to terminate modern security products at the kernel level.

The case underscores the increasing prevalence of Bring Your Own Vulnerable Driver (BYOVD) tactics — where threat actors load outdated but signed drivers to bypass Windows driver signature enforcement and gain privileged kernel access.

Initial Access via Compromised SonicWall SSLVPN

Investigators used Huntress Managed SIEM to ingest SonicWall VPN telemetry, which proved critical in reconstructing the attacker’s activity:

  • Logs contained a failed portal login from 193.160.216[.]221 followed one minute later by a successful SSLVPN client authentication from 69.10.60[.]250, indicating stolen or brute-forced credentials.
  • The target account lacked permissions for portal access, suggesting the attacker circumvented restrictions by switching connection methods.

Once inside, the attackers conducted aggressive reconnaissance, including:

  • ICMP ping sweeps
  • NetBIOS name queries
  • SMB-targeted probes
  • SYN flood activity exceeding 370 SYNs per second — a sign of systematic network mapping.

EDR Killer Execution — BYOVD Technique Leveraging EnCase Forensic Driver

What the EDR Killer Is

The core component of the attacker’s toolkit was a 64-bit Windows executable masquerading as a legitimate firmware update utility that dropped a kernel-mode driver, abused it to kill security tools, and established persistent access on the endpoint.

This technique is a classic example of Bring Your Own Vulnerable Driver (BYOVD):

  • Attackers ship a vulnerable or outdated signed driver.
  • Windows loads it because the cryptographic signature is still accepted despite being revoked — a byproduct of how Windows handles timestamp verification and driver signature enforcement.

Driver Abuse Details

The payload deploys a wordlist-encoded kernel driver payload that decodes into its native binary and writes it to disk as: C:\ProgramData\OEM\Firmware\OemHwUpd.sys

This driver is then registered as a kernel-mode service:

  • Service Name: OemHwUpd
  • Display Name: OEM Hardware HAL Service
  • Type: Kernel Driver
  • Start Type: Demand Start

Why Windows Loads the Revoked Driver

The driver in question originated from Guidance Software’s EnCase forensic suite and was signed long ago:

  • Its certificate was issued in 2006 and expired in 2010, then revoked.
  • Windows still loads such drivers because Kernel-mode Driver Signature Enforcement does not check Certificate Revocation Lists (CRLs) — only timestamped signature validity.

This benign cryptographic verification allows attackers to load the driver into kernel memory despite its revoked status — a core weakness exploited by BYOVD attacks.

Encoding and Anti-Analysis Techniques

Wordlist-Encoded Driver Payload

Rather than embedding a raw binary blob, the malware authors employed an unusual obfuscation tactic:

  • A 256-word dictionary maps English words to byte values — e.g., “about”→0x00, “block”→0x4D (the ASCII value for “M”), etc.
  • The encoded driver payload appears as thousands of space-separated English words stored in the executable’s data section.
  • A decoding routine resolves the dictionary into the proper byte sequence, resulting in a valid Windows Portable Executable (PE) file with the classic “MZ” header.

This technique helps evade both static detection and conventional entropy-based analysis because:

  • It avoids suspicious API names or signatures in plaintext.
  • The encoded blob shows low entropy — often below thresholds that trigger detection of encrypted or compressed content.

Security Process Termination and Runtime Operation

Once the kernel driver is loaded:

Target Identification and Kill Loop

  • The tool maintains a list of 59 security process targets (EDR/AV solutions) identified via FNV-1a hashing.
  • During runtime, the executable enumerates running processes, hashes process names, and compares them to target hashes — an optimized approach for fast matching.
  • If a match is found, the malware terminates the process, looping every second to catch any restarted services.

Notably, Investigation telemetry showed that the Huntress agent itself was not on the target list, suggesting selective targeting against other vendors.

Kernel IOCTL Abuse

The loaded driver exposes an IOCTL interface that enables kernel-mode operations such as:

  • Terminating processes (used in this case)
  • Reading/writing memory
  • Rootkit-style operations like process hiding and direct memory access

The malware used the IOCTL for KillProc functionality to stop protected processes that typically resist user-mode termination.

Persistence Mechanism

Persistence is achieved by installing the kernel driver as a service with a legitimate-looking OEM hardware service name, ensuring it remains loaded across system reboots.

Windows Driver Signature Enforcement and BYOVD Weakness

Windows Driver Signature Enforcement requires that kernel drivers be signed, but its enforcement mechanism does not validate certificate revocation status. Rather, it validates cryptographic chains and trustworthy timestamps — which legacy signed drivers can still pass even years after revocation.

Microsoft has attempted to mitigate this via the Vulnerable Driver Blocklist and features like Hypervisor-Protected Code Integrity (HVCI) — but these protections depend on configuration and may not be enabled by default.

Indicators of Compromise (IOCs)

Driver and Service Artifacts

C:\ProgramData\OEM\Firmware\OemHwUpd.sys  
Service Name: OemHwUpd  
Display Name: OEM Hardware HAL Service

Threat Actor Connection IPs

69.10.60[.]250  
193.160.216[.]221

Malicious Binary Hashes

3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0  (EDR killer svchost.exe binary)  
6a6aaeed4a6bbe82a08d197f5d40c2592a461175f181e0440e0ff45d5fb60939  (EnCase driver OemHwUpd.sys)

Key Takeaways for Defenders

This incident highlights evolving tactics in ransomware-precursor intrusions:

  • The BYOVD technique using revoked legitimate drivers continues to be a powerful method for defeating endpoint defenses.
  • Enabling multi-factor authentication (MFA) on remote access services can prevent initial access via stolen or brute-forced credentials.
  • Monitoring for suspicious service names or drivers installed outside normal update channels can help detect stealthy persistence.
  • Using blocklisting technologies like Windows Defender Application Control (WDAC) and enforcing HVCI can help prevent known vulnerable drivers from loading.

Conclusion

The incident investigated demonstrates the dangerous blend of compromised remote access credentials and kernel-mode abuse via obsolete signed drivers. As BYOVD attacks grow more sophisticated, security teams must invest in deeper telemetry correlation and driver-level protections to mitigate this class of threats effectively.

CyberDefender