Threat Actors Exploit Revoked EnCase Driver in Advanced EDR Killer Tool

Attackers Weaponize Revoked Forensic Driver in EDR Killer Tool

Security researchers have identified a new EDR (Endpoint Detection and Response) killer tool that exploits a legitimate but revoked signed kernel driver from Guidance Software’s EnCase forensic software. The tool, designed to evade detection and disable security protections, highlights a growing trend of living-off-the-land (LotL) attacks using trusted software components.

Key Details of the Attack

• Driver Origin: The tool abuses EnCase’s encase.sys kernel driver, which was digitally signed but revoked by the vendor in 2022 following reports of abuse.
• EDR Killer Functionality: The malware scans for 59 security products, including EDR, antivirus, and monitoring tools, and attempts to terminate their processes or disable their services.
• Attack Vector: The driver is loaded via Bring Your Own Vulnerable Driver (BYOVD) techniques, bypassing Windows Driver Signature Enforcement (DSE) protections.
• Detection Evasion: By using a signed (though revoked) driver, attackers exploit trust in legitimate software to execute kernel-level operations undetected.

Technical Analysis of the Exploit

The encase.sys driver, originally designed for low-level disk access in forensic investigations, contains functionality that allows direct memory manipulation. Attackers repurpose this capability to:

• Enumerate running processes and identify security tools.
• Terminate or suspend processes associated with EDR, AV, and logging solutions.
• Modify kernel structures to evade detection by security software.

The BYOVD technique used here is particularly concerning because it circumvents Windows security mechanisms that typically block unsigned drivers. While Microsoft has revoked the driver’s signature, attackers can still load it on systems where driver signature enforcement is disabled or via vulnerable boot configurations.

Impact on Security Operations

The use of this EDR killer tool poses significant risks to enterprise security:

• Disabling Critical Protections: By neutralizing EDR and AV tools, attackers can execute ransomware, data exfiltration, or lateral movement without detection.
• Persistence Challenges: Kernel-level access allows attackers to maintain persistence even after system reboots.
• Forensic Blind Spots: The tool’s ability to disable logging and monitoring tools obscures attack traces, complicating incident response.

Mitigation and Response Recommendations

Security teams should take the following steps to defend against this threat:

1. Block Known Malicious Drivers

   • Deploy driver blocklists via Windows Defender Application Control (WDAC) or Microsoft Defender for Endpoint to prevent loading of revoked drivers like encase.sys.
   • Monitor for unusual driver loading events in endpoint logs.

2. Enforce Driver Signature Enforcement

   • Ensure Secure Boot and Driver Signature Enforcement are enabled to prevent unsigned or revoked drivers from executing.

3. Enhance Endpoint Monitoring

   • Use behavioral detection to identify processes attempting to terminate security software or modify kernel memory.
   • Deploy EDR solutions with kernel-level visibility to detect and block suspicious driver activity.

4. Incident Response Preparedness

   • Develop playbooks for BYOVD attacks, including steps to isolate affected systems and restore trusted drivers.
   • Conduct threat hunting for signs of disabled security tools or unauthorized driver installations.

Conclusion

This attack underscores the growing sophistication of EDR evasion techniques, particularly the abuse of signed but revoked drivers. Security teams must harden endpoint defenses, monitor for driver-based threats, and prepare for rapid response to mitigate the risks posed by such tools.

For further details, refer to the original report by BleepingComputer.