Attackers deployed a custom EDR killer that abuses a long‑revoked EnCase kernel driver (EnPortv.sys) to detect and terminate 59 security tools on infected hosts. The intrusion used compromised SonicWall SSL VPN credentials without MFA, leveraged a pre‑2015 signing exception that allowed the revoked driver to load, and Huntress recommends MFA, HVCI/Memory Integrity, WDAC/ASR, and monitoring for OEM‑masquerading kernel services. #EnCase #SonicWall
Keypoints
- Attackers used a BYOVD approach, abusing the EnCase EnPortv.sys kernel driver to gain kernel‑level access.
- The custom EDR killer targets and terminates 59 EDR/antivirus processes via the driver’s kernel IOCTL interface every second.
- Windows accepted the revoked driver because of timestamp validation and an exception for certificates issued before July 29, 2015.
- Initial access was gained through compromised SonicWall SSL VPN credentials with no MFA, followed by aggressive internal reconnaissance.
- Recommended defenses include enabling MFA on remote access, monitoring VPN logs, enabling HVCI/Memory Integrity, and deploying WDAC and ASR rules while watching for OEM‑masquerading kernel services.