They Got In Through SonicWall. Then They Tried to Kill Every Security Tool

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/encase-byovd-edr-killer

ONE SENTENCE SUMMARY:

In February 2026, hackers exploited SonicWall VPN credentials and a revoked EnCase driver to disable security, evading detection.

MAIN POINTS:

1. Attackers used compromised SonicWall VPN credentials for initial network access.
2. A revoked Guidance Software forensic driver was abused to disable security processes.
3. Windows still loads expired certificates, revealing a gap in Driver Signature Enforcement.
4. Huntress detected and disrupted the attack before ransomware deployment.
5. Analysis involved SonicWall telemetry and VPN authentication logs.
6. EDR killer masquerades as a firmware update utility using a wordlist encoding scheme.
7. Attack bypassed security by using a kernel-mode driver with IOCTL interface.
8. The compromised driver allows process termination from kernel mode.
9. Microsoft’s Vulnerable Driver Blocklist is reactive, not preventative.
10. Recommendations include enabling MFA, HVCI, and adopting Microsoft’s driver block rules.

TAKEAWAYS:

1. BYOVD attacks are increasingly common for bypassing security measures.
2. Expired and revoked certificates still pose significant security risks.
3. Precise monitoring of VPN logs can help detect suspicious activities.
4. Proactive security measures like MFA are crucial to prevent initial access.
5. Continuous updates and vigilance are needed to address vulnerabilities promptly.