Threat Actors Exploit 15-Year-Old EnCase Driver to Kill EDR Processes in Ransomware Precursor Attack
Huntress has published details of a February 2026 intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to access a victim network, then deployed a custom EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver to terminate security processes from kernel mode.
The attack was disrupted before ransomware deployment, but the case highlights a critical gap in Windows Driver Signature Enforcement: the kernel does not check Certificate Revocation Lists. The EnCase driver's certificate expired in January 2010 and was subsequently revoked, yet Windows still loads it because the cryptographic signature remains mathematically valid.
Initial Access
The threat actor authenticated to the victim's SonicWall SSLVPN from IP address 69.10.60[.]250. Huntress SIEM telemetry captured a denied portal login attempt from 193.160.216[.]221 just one minute prior — the account lacked privileges for portal access from that location — before the successful VPN client authentication.
Once inside, the attacker conducted aggressive network reconnaissance including ICMP ping sweeps, NetBIOS name probes, and SMB-targeted activity with SYN flood behavior exceeding 370 SYNs per second.
The EDR Killer
The attackers deployed a 64-bit Windows executable masquerading as a firmware update utility. The binary contains an embedded kernel driver concealed using a wordlist-based substitution cipher — each byte of the driver is encoded as an English word from a 256-word dictionary. The encoded payload registers approximately 4 bits per byte of entropy, well below the 7-8 bits threshold that typically flags encrypted or compressed content, allowing it to evade static analysis.
When executed, the malware decodes the driver and writes it to C:\ProgramData\OEM\Firmware\OemHwUpd.sys, then applies anti-forensic measures: setting file attributes to hidden and system, and copying timestamps from the legitimate ntdll.dll to blend with system files.
The binary registers the driver as a Windows kernel service with names designed to appear legitimate:
- Service Name: OemHwUpd
- Display Name: OEM Hardware HAL Service
- Description: Manages hardware abstraction layer compatibility
Target List: 59 Security Products
The EDR killer maintains a list of 59 target process names hashed at initialization using FNV-1a. During runtime, it enumerates running processes, computes each name's hash, and compares against the pre-computed targets. A kill loop runs continuously with a 1-second sleep interval, ensuring any security process that restarts is immediately terminated again.
Targeted vendors include Microsoft Defender, CrowdStrike, SentinelOne, Carbon Black, Palo Alto Cortex, Elastic Security, Cybereason, Cylance, Symantec, McAfee/Trellix, Trend Micro, Sophos, Kaspersky, ESET, Bitdefender, Fortinet, Malwarebytes, Avast/AVG, FireEye, Tanium, Qualys, Rapid7, and Splunk.
Why Windows Still Loads a Revoked Driver
The EnCase forensic driver (EnPortv.sys) was signed with a certificate issued on December 15, 2006. Despite the certificate expiring in January 2010 and being subsequently revoked, Windows accepts it for three reasons.
First, the July 29, 2015 exception: Microsoft requires new kernel drivers to be signed via Hardware Dev Center, but drivers signed with certificates issued before this date that chain to a supported cross-signed CA are still permitted.
Second, the driver contains a valid timestamp from Thawte Timestamping CA. When code is timestamped, Windows validates the signature against when it was created, not the current date — so the signature remains valid indefinitely.
Third, the signature chains through VeriSign Class 3 Code Signing 2004 CA to Microsoft Code Verification Root, which Windows trusts for kernel-mode code signing.
The kernel does not check CRLs because drivers load early in the boot process before network services are available, and CRL checks would impact boot performance.
Driver Capabilities
The EnCase driver exposes 18+ IOCTL functions designed for forensic acquisition, including process termination (KillProc), DKOM process hiding, kernel-mode file deletion, physical memory access, and VAD enumeration. In this incident, attackers only used IOCTL 0x223078 (KillProc) to terminate EDR processes.
When kernel-mode code calls ZwOpenProcess and ZwTerminateProcess, Windows sets PreviousMode to KernelMode, signaling that parameters come from a trusted source and skipping security validation enforced on usermode callers.
Detection and Mitigation
Huntress recommends enabling MFA on all remote access services, reviewing VPN authentication logs for anomalous patterns, enabling HVCI/Memory Integrity to enforce Microsoft's Vulnerable Driver Blocklist, monitoring for services with names mimicking OEM/hardware components, deploying Microsoft's recommended driver block rules via WDAC, and enabling the ASR rule "Block abuse of exploited vulnerable signed drivers."
MITRE ATT&CK
- T1133 — External Remote Services (SonicWall SSLVPN)
- T1078 — Valid Accounts (compromised credentials)
- T1018 — Remote System Discovery (ping sweeps, NetBIOS probes)
- T1562.001 — Impair Defenses: Disable or Modify Tools (EDR killer)
- T1068 — Exploitation for Privilege Escalation (kernel driver abuse)
- T1543.003 — Create or Modify System Process: Windows Service (driver persistence)
- T1070.006 — Indicator Removal: Timestomp (ntdll.dll timestamp copying)
- T1027 — Obfuscated Files or Information (wordlist encoding)
Indicators of Compromise
Threat Actor IPs: 69.10.60[.]250 193.160.216[.]221
File Paths: C:\ProgramData\OEM\Firmware\OemHwUpd.sys
Service Indicators: Service Name: OemHwUpd Display Name: OEM Hardware HAL Service
File Hashes (SHA-256): 3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0 (EnCase driver) 6a6aaeed4a6bbe82a08d197f5d40c2592a461175f181e0440e0ff45d5fb60939 (EDR killer binary)
