The kill list excluded Huntress: The EDR killer binary used in the Huntress-observed attack packed a 64-bit Windows executable and a custom encoded kernel driver payload, which it decoded into OemHwUpd.sys and installed as a kernel-mode service. Because Windows still honors its cryptographic signature, the attackers were able to load the driver.Once the vulnerable driver was in place, the EDR killer compiled an internal list of 59 well-known security tool processes, hashing their names and continuously checking for their presence on the system. “The kill loop runs continuously with a 1-second sleep interval, ensuring any security process that restarts is immediately terminated again,” the researchers said.Incidentally, Huntress said it wasn’t on the kill list. “While the EDR killer targets nearly every major EDR and AV vendor on the market, the Huntress agent was not among the 59 processes targeted for termination,” it added. Once the driver was written to disk, the binary established persistence by registering it as a Windows kernel service.Huntress recommended enabling Microsoft’s Vulnerable Driver Blocklist on all supported Windows systems to prevent known abused drivers from loading. The researchers also advised enforcing strong access controls on remote access services, including MFA for VPNs such as SonicWall, and closely monitoring for suspicious driver installation activity. Where possible, organizations are also encouraged to enable virtualization-based security features like Hypervisor-protected Code Integrity (HVCI) to further restrict kernel-mode abuse.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4127968/attackers-exploit-decade%e2%80%91old-windows-driver-flaw-to-shut-down-modern-edr-defenses.html
