Threat actors are leveraging a legitimate but revoked EnCase kernel driver (EnPortv.sys) to deploy a custom EDR killer. This tool utilizes the 'Bring Your Own Vulnerable Driver' (BYOVD) technique to bypass endpoint detection and response solutions by gaining kernel-level access. Despite the driver's certificate being revoked and expired for years, it remains functional on modern Windows systems due to legacy signature enforcement exceptions for certificates issued before July 2015.
The EDR killer targets 59 distinct security processes, employing a persistent kill loop that executes every second to ensure any restarted security software is immediately terminated. Attackers initially gained access through compromised SonicWall VPN credentials lacking multi-factor authentication. To mitigate these threats, security teams are advised to enable Hypervisor-Protected Code Integrity (HVCI), enforce MFA across all remote access services, and implement Windows Defender Application Control (WDAC) to block known vulnerable drivers.
Top comments (0)