Security researchers at Huntress have documented a sophisticated intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to deploy a custom EDR killer that abuses a legitimate forensic driver from Guidance Software’s EnCase to terminate security processes from kernel mode.
Attack Overview
The attack, disrupted in early February 2026 before ransomware deployment, demonstrates a growing trend in the threat landscape: adversaries weaponizing signed, legitimate drivers to disable endpoint security. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to bypass Windows Driver Signature Enforcement by loading drivers with valid cryptographic signatures, even if their certificates have been revoked.
Technical Analysis
Initial Access
Huntress’s Managed SIEM captured the full intrusion timeline through SonicWall telemetry. The threat actor successfully authenticated to the victim’s SSLVPN from IP address 69.10.60[.]250, after a denied portal login attempt from 193.160.216[.]221 just one minute prior.
The EDR Killer Binary
The deployed malware is a 64-bit Windows executable masquerading as a firmware update utility. What makes it particularly evasive is its wordlist-based encoding scheme. Rather than storing the embedded kernel driver as raw bytes or using traditional encryption, the developers created a 256-word dictionary where each English word corresponds to a specific byte value.
The encoded driver payload is stored as a 384,528-byte string of space-separated English words. For example, “block both choice about” decodes to 4D 5A 90 00 — the MZ signature of a DOS executable header.
Why This Works: The Certificate Gap
The EnCase forensic driver (EnPortv.sys) exploited in this attack has a signing certificate that expired in January 2010 and was subsequently revoked. However, Windows still accepts the signature because:
- No CRL Checking: The Windows kernel does not check Certificate Revocation Lists when loading drivers
- July 2015 Exception: Drivers signed with certificates issued before July 29, 2015 that chain to supported cross-signed CAs are still permitted
- Valid Timestamp: The driver contains a timestamp from when the certificate was valid, so the signature remains valid indefinitely
Target List: 59 Security Products
The EDR killer maintains a list of 59 target process names hashed using FNV-1a. Major endpoint security vendors targeted include:
- CrowdStrike (CSFalconService, csagent)
- SentinelOne (SentinelAgent, SentinelServiceHost)
- Carbon Black (RepMgr, RepWAV)
- Symantec (ccSvcHst, SepMasterService)
- Microsoft Defender (MsMpEng, MsSense)
- McAfee (masvc, mfetp)
- Sophos (SAVAdminService, SavService)
- Trend Micro (PccNTMon, NTRTScan)
- Kaspersky (avp, avpui)
- ESET (ekrn, egui)
Once the kernel driver is loaded, it exposes an IOCTL interface allowing the usermode component to terminate any process directly from kernel mode, bypassing Protected Process Light (PPL) protections.
Persistence Mechanism
The malware establishes persistence by registering the driver as a Windows kernel service with deceptive naming:
- Service Name: OemHwUpd
- Display Name: OEM Hardware HAL Service
- Path: C:\ProgramData\OEM\Firmware\OemHwUpd.sys
Anti-forensic measures include timestomping (copying timestamps from ntdll.dll) and setting hidden/system file attributes.
Defensive Recommendations
- Enable MFA on all remote access services — the initial compromise occurred due to lack of multi-factor authentication
- Enable HVCI/Memory Integrity — ensures Microsoft’s Vulnerable Driver Blocklist is enforced
- Deploy WDAC driver block rules — use Microsoft’s recommended driver block rules
- Enable ASR rule for vulnerable drivers — “Block abuse of exploited vulnerable signed drivers”
- Monitor for suspicious service creation — alert on services mimicking OEM/hardware components
Indicators of Compromise
| Indicator | Type |
|---|---|
| C:\ProgramData\OEM\Firmware\OemHwUpd.sys | File Path |
| OemHwUpd | Service Name |
| 69.10.60[.]250 | Threat Actor IP |
| 193.160.216[.]221 | Threat Actor IP |
This attack underscores the urgent need for organizations to implement kernel-level protections and maintain vigilance over driver loading policies. As BYOVD techniques become standard components of the ransomware playbook, defenders must adapt by leveraging Microsoft’s driver blocklist and attack surface reduction rules.
Source: Huntress Blog
