EDR killer tool uses signed kernel driver from forensic software

Hackers are abusing a legitimate but long-revoked EnCase kernel driver in an EDR killer that can detect 59 security tools in attempts to deactivate them.

An EDR killer is a malicious tool created specifically to bypass or disable endpoint detection and response (EDR) tools, along with other security solutions. They typically use vulnerable drivers to unhook the protections on the system.

Usually, attackers rely on the ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique, where they introduce a legitimate but vulnerable driver and use it to gain kernel-level access and terminate security software processes.

The technique is well-documented and very popular, but despite Microsoft introducing various defenses over the years, Windows systems are still vulnerable to effective bypasses.

Encase is a digital investigation tool used in law enforcement forensic operations that enables extracting and analyzing data from computers, mobile devices, or cloud storage.

Huntress researchers responding to a cybersecurity incident earlier this month noticed the deployment of a custom EDR killer that was disguised as a legitimate firmware update utility and used an old kernel driver.

The attackers breached the network using compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA) for the VPN account.

After logging in, the attackers performed aggressive internal reconnaissance, including ICMP ping sweeps, NetBIOS name probes, and SMB-related activity, SYN flooding exceeding 370 SYNs/sec.

The EDR killer used in this case is a 64-bit executable that abuses ‘EnPortv.sys,’ an old EnCase kernel driver, to disable security tools running on the host system.

The driver’s certificate was issued in 2006, expired in 2010, and was subsequently revoked; however, because the Driver Signature Enforcement system on Windows works by validating cryptographic verification results and timestamps, rather than checking Certificate Revocation Lists (CRLs), the operating system still accepts the old certificate.

Although Microsoft added a requirement in Windows 10 version 1607 that kernel drivers must be signed via the Hardware Dev Center, an exception was made for certificates issued before July 29, 2015, which applies in this case.

The kernel driver is installed and registered as a fake OEM hardware service, establishing reboot-resistant persistence.

The malware uses the driver’s kernel-mode IOCTL interface to terminate service processes, bypassing existing Windows protections such as Protected Process Light (PPL).

There are 59 targeted processes related to various EDR and antivirus tools. The kill loop executes every second, immediately terminating any processes that are restarted.

Huntress believes that the intrusion was related to ransomware activity, although the attack was stopped before the final payload was deployed.

Key defense recommendations include enabling MFA on all remote access services, monitoring VPN logs for suspicious activity, and enabling HVCI/Memory Integrity to enforce Microsoft’s vulnerable driver blocklist.

Additionally, Huntress recommends monitoring for kernel services masquerading as OEM or hardware components and deploying WDAC and ASR rules to block vulnerable signed drivers.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide