In a recent incident, attackers abused a legitimate but vulnerable Windows kernel driver to shut down endpoint security tools during an ongoing incident response.
According to a Huntress report, the activity was observed during a customer investigation in early 2026 and involved the use of an old EnCase forensic driver (by Guidance Software) as part of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Endpoint Detection and Response (EDR) processes from kernel mode.
The intrusion began with compromised SonicWall SSL VPN credentials, after which the attacker conducted internal reconnaissance and deployed a custom “EDR killer” binary.
“The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security,” Huntress researchers said in a blog post. “The EnCase driver’s certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit.”
Microsoft did not immediately respond to CSO’s request for comments.
The BYOVD abuse
According to the researchers, the attack used a common technique of abusing a legitimate signed driver that already has kernel-level privileges. This gave the attackers direct, high-privilege access to the kernel, effectively allowing them to terminate almost any process they want, including security tooling.
Windows’ Driver Signature Enforcement, the policy requiring all kernel-mode drivers to be digitally signed by a trusted Certificate Authority (CA), doesn’t check certificate revocation lists at kernel load time. Researchers noted this to be a legacy behavior that remains exploitable because of backward compatibility features introduced years ago that allow an exception for drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed CA.
The EnCase driver contains a timestamp from a VeriSign service, which the authentication check still considers valid. “When code is signed with a timestamp, Windows validates the signature against the time the signature was created, not the current date,” the researchers noted. “Because the driver was timestamped while the certificate was still valid (before January 31, 2010), the signature remains valid indefinitely, even though the certificate has since expired.”
Once in the kernel, the driver exposes an IOCTL interface that lets the malware terminate arbitrary processes with full system privileges. Among the functionality exposed are process termination commands that bypass user-mode safeguards for Protected Process Light (PPL) processes, the defenses EDR systems depend on to avoid tampering.
The kill list excluded Huntress
The EDR killer binary used in the Huntress-observed attack packed a 64-bit Windows executable and a custom encoded kernel driver payload, which it decoded into OemHwUpd.sys and installed as a kernel-mode service. Because Windows still honors its cryptographic signature, the attackers were able to load the driver.
Once the vulnerable driver was in place, the EDR killer compiled an internal list of 59 well-known security tool processes, hashing their names and continuously checking for their presence on the system. “The kill loop runs continuously with a 1-second sleep interval, ensuring any security process that restarts is immediately terminated again,” the researchers said.
Incidentally, Huntress said it wasn’t on the kill list. “While the EDR killer targets nearly every major EDR and AV vendor on the market, the Huntress agent was not among the 59 processes targeted for termination,” it added. Once the driver was written to disk, the binary established persistence by registering it as a Windows kernel service.
Huntress recommended enabling Microsoft’s Vulnerable Driver Blocklist on all supported Windows systems to prevent known abused drivers from loading. The researchers also advised enforcing strong access controls on remote access services, including MFA for VPNs such as SonicWall, and closely monitoring for suspicious driver installation activity. Where possible, organizations are also encouraged to enable virtualization-based security features like Hypervisor-protected Code Integrity (HVCI) to further restrict kernel-mode abuse.