Attackers are using a BYOVD EDR-killing payload that embeds a legacy EnCase kernel driver to disable 59 endpoint security products. They gained access via compromised SonicWall SSLVPN credentials, decoded and installed the revoked driver as a kernel service to terminate protected processes and persist; defenders should enable MFA, Memory Integrity and monitor for suspicious drivers. #EnCase #SonicWall
Keypoints
- Attackers abused a revoked EnCase kernel driver to kill endpoint security processes from kernel mode.
- Initial access was obtained through compromised SonicWall SSLVPN credentials.
- The malware decodes the embedded driver, hides it as a legitimate OEM component, and copies timestamps to blend in.
- The driver exposes an IOCTL interface that lets usermode processes terminate arbitrary processes, bypassing PPL and other protections.
- Recommended defenses include enabling MFA, turning on Memory Integrity, monitoring VPN logs, and using WDAC and ASR rules.
Read More: https://www.helpnetsecurity.com/2026/02/05/edr-killer-vulnerable-encase-driver/