SonicWall: Hackers exploit old EnCase driver to disable security tools

Hackers Exploit Outdated EnCase Driver to Disable 59 Security Tools via BYOVD Attack

Cyberattackers are weaponizing a revoked but still-functional EnCase kernel driver to create an "EDR killer" tool capable of disabling 59 security solutions. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), grants attackers kernel-level access to terminate endpoint detection and response (EDR) and other protective software.

The attack begins with compromised SonicWall SSL VPN credentials, exploiting the absence of multi-factor authentication (MFA). Once inside, threat actors conduct internal reconnaissance before deploying a custom EDR killer disguised as a firmware update utility. The malicious tool leverages EnPortv.sys, a driver originally from EnCase with a 2006 certificate revoked in 2010. Despite its revocation, Windows accepts the driver due to a signature validation loophole certificates issued before July 29, 2015, bypass Certificate Revocation List (CRL) checks.

The driver is installed as a fake OEM hardware service for persistence and uses its IOCTL interface to force-terminate 59 targeted security processes, evading protections like Protected Process Light. The campaign highlights the risks of unpatched legacy drivers and weak remote access controls, particularly in environments lacking MFA or driver-signing enforcement.

Source: https://www.scworld.com/brief/hackers-exploit-old-encase-driver-to-disable-security-tools

SonicWall cybersecurity rating report: https://www.rankiteo.com/company/SonicWall

"id": "SON1770338599",
"linkid": "SonicWall",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'attack_vector': 'Compromised SonicWall SSL VPN credentials (lack of MFA)',
 'description': 'Cyberattackers weaponized a revoked but still-functional '
                "EnCase kernel driver to create an 'EDR killer' tool capable "
                'of disabling 59 security solutions. The technique, known as '
                'Bring Your Own Vulnerable Driver (BYOVD), grants attackers '
                'kernel-level access to terminate endpoint detection and '
                'response (EDR) and other protective software. The attack '
                'exploited compromised SonicWall SSL VPN credentials due to '
                'the absence of multi-factor authentication (MFA), followed by '
                'internal reconnaissance and deployment of a custom EDR killer '
                'disguised as a firmware update utility. The malicious tool '
                'leveraged EnPortv.sys, a driver with a 2006 certificate '
                'revoked in 2010, which Windows accepted due to a signature '
                'validation loophole for certificates issued before July 29, '
                '2015. The driver was installed as a fake OEM hardware service '
                'for persistence and used its IOCTL interface to '
                'force-terminate 59 targeted security processes, evading '
                'protections like Protected Process Light.',
 'impact': {'operational_impact': 'Disabling of endpoint detection and '
                                  'response (EDR) and security tools',
            'systems_affected': '59 security solutions (EDR and protective '
                                'software)'},
 'initial_access_broker': {'entry_point': 'Compromised SonicWall SSL VPN '
                                          'credentials',
                           'reconnaissance_period': 'Internal reconnaissance '
                                                    'conducted '
                                                    'post-compromise'},
 'lessons_learned': 'Risks of unpatched legacy drivers and weak remote access '
                    'controls, particularly in environments lacking MFA or '
                    'driver-signing enforcement.',
 'post_incident_analysis': {'corrective_actions': ['Enforce MFA for all remote '
                                                   'access points',
                                                   'Block or remove vulnerable '
                                                   'drivers',
                                                   'Implement driver-signing '
                                                   'policies',
                                                   'Monitor for kernel-level '
                                                   'anomalies'],
                            'root_causes': ['Lack of MFA for SonicWall SSL VPN',
                                            'Use of revoked EnCase driver '
                                            '(EnPortv.sys) with pre-2015 '
                                            'certificate',
                                            'Windows signature validation '
                                            'loophole for pre-2015 '
                                            'certificates',
                                            'Absence of driver-signing '
                                            'enforcement']},
 'recommendations': ['Enforce multi-factor authentication (MFA) for remote '
                     'access',
                     'Implement driver-signing enforcement to block revoked or '
                     'vulnerable drivers',
                     'Monitor for unusual driver installations or kernel-level '
                     'activity',
                     'Patch or remove outdated and vulnerable drivers'],
 'title': 'Hackers Exploit Outdated EnCase Driver to Disable 59 Security Tools '
          'via BYOVD Attack',
 'type': 'BYOVD (Bring Your Own Vulnerable Driver)',
 'vulnerability_exploited': 'Outdated EnCase driver (EnPortv.sys) with revoked '
                            'certificate, Windows signature validation '
                            'loophole for pre-2015 certificates'}