In early February 2026, threat actors mounted a targeted intrusion that showcased a dangerously effective endpoint security bypass technique: Bring Your Own Vulnerable Driver (BYOVD). The attack exploited a long-revoked and antiquated kernel-mode driver from Guidance Software’s EnCase forensic suite to disable a wide range of security tools—effectively creating what analysts now call an EDR killer.

Attack Chain Overview

The adversary followed a classic but increasingly prevalent post-compromise pattern:

1. Initial Access via Compromised VPN Credentials:
   The attackers authenticated to the victim’s SonicWall SSLVPN service using valid but compromised credentials. Telemetry from the victim environment revealed anomalous login attempts immediately preceding successful access.
2. Network Reconnaissance:
   Once inside, the attacker performed aggressive internal scanning, including ICMP sweeps and SMB reconnaissance, aiming to discover valuable hosts and services.
3. Deployment of the EDR Killer:
   Rather than immediately deploying ransomware, the adversary executed a custom 64-bit Windows binary designed to neutralize defensive tooling before additional payloads could run.

---

Technical Anatomy of the EDR Killer

At the heart of the attack was a composite malware tool consisting of:

1. User-Mode Orchestrator

A small executable masquerading as a legitimate firmware update utility that:

• Decoded and wrote a kernel driver to disk.
• Registered and loaded that driver as a Windows service.
• Initiated a loop to kill targeted security processes.

2. Embedded Wordlist-Encoded Driver

Rather than including a clearly recognizable driver file, the malware stored the kernel driver in an encoded format:

• A wordlist substitution cipher mapped each byte of the driver to an English word.
• This method effectively hid the driver from static analysis and signature scanners.
• When decoded, the blob produced a valid Windows PE kernel driver (.sys).

3. Installing the Vulnerable Driver

After decoding:

• The driver was written to disk under a misleading name and path (e.g., C:\ProgramData\OEM\Firmware\OemHwUpd.sys).
• File attributes and timestamps were manipulated (timestomped) to resemble legitimate system files.
• The driver was registered with Windows as a kernel service that launched automatically.

---

Why the EnCase Driver Worked

The critical enabler for this bypass was EnPortv.sys, a legacy kernel driver originally part of Guidance Software’s EnCase forensic suite:

Digital Signature Misinterpretation

• The driver was signed in 2006, with a certificate that expired in 2010 and was later revoked.
• Despite its revoked status, Windows’ kernel module loader still accepted the driver because:
  • It supported an older certificate chain trusted at the time.
  • Timestamping on the signature made cryptographic validation succeed long after expiration.
• The Windows kernel does not check certificate revocation lists (CRLs) when loading drivers, allowing such legacy drivers to load if the signature chain cryptographically verifies.

BYOVD – Bring Your Own Vulnerable Driver

This technique involves an attacker bringing their own legitimate but vulnerable signed driver to a system to gain privileged kernel access:

• Because the driver is signed, security controls often allow it to load.
• Once loaded, IOCTL (Input/Output Control) interfaces provide privileged operations not normally accessible from user mode.
• In this case, the driver offered a mechanism for terminating arbitrary processes from kernel mode—a capability the attacker abused to disable defensive software.

---

Process Targeting Logic

Once the driver was loaded:

• The EDR killer iterated through a list of 59 target process names corresponding to popular endpoint security products.
• Each process name was hashed (e.g., using FNV-1a) for efficient matching.
• In a loop with a timed delay, the orchestrator repeatedly terminated any security processes that started or restarted.
• This effectively blinded endpoint defenses by forcefully killing processes as they appeared.

Notably, one defensive agent observed in the environment was not on the kill list—likely indicating vendor-specific tradecraft or evade-list differences.

---

Driver Signature Enforcement Limitation

Kernel-mode drivers on Windows face strict signing rules, but an important exception still exists:

• Pre-2015 signed drivers that chain to trusted roots are permitted to load if timestamped, even if revoked.
• Microsoft’s modern defenses focus on a Vulnerable Driver Blocklist rather than CRL checking, which can block known exploitable drivers once identified.

This incident clearly illustrates how outdated signing and lack of revocation enforcement can be weaponized by attackers seeking kernel access.

---

Mitigations and Defensive Lessons

This case underscores key technical defense considerations:

1. Enforce Strong Multifactor Authentication:
   The initial compromise was possible due to reliance on static credentials without robust MFA.
2. Enable Memory Integrity and Vulnerable Driver Blocking:
   Features like Hypervisor-Protected Code Integrity (HVCI) can force Windows to enforce blocklists on vulnerable drivers.
3. Use Modern Endpoint Controls with BYOVD Detection:
   Solutions that detect anomalous driver loading or drivers from uncommon locations can raise early warnings.
4. Audit and Block Known High-Risk Drivers:
   Apply Microsoft’s driver block rules (via WDAC or similar) to ban known legacy or risky drivers.

---

Conclusion

The EnCase BYOVD EDR killer incident highlights the evolving arms race between attackers and endpoint defenses. By exploiting legacy trusted code and leveraging clever encoding and process-killing logic, attackers can disconnect security software long enough to complete their objectives. Technical understanding of kernel driver loading, signature validation quirks, and process termination mechanics is essential for defenders aiming to mitigate these emergent BYOVD-based threats.