Rob Wright , Senior News Director , Dark Reading February 5, 2026 4 Min Read Source: Brain light via Alamy Stock Photo Threat actors are using a forensic tool's Windows kernel driver to kill security products, despite the fact the driver's digital certificate was revoked more than a decade ago. In a blog post Wednesday, security researchers at Huntress detailed how the company responded to an intrusion earlier this month in which the threat actor used compromised SonicWall SSL VPN credentials for initial access to the victim's network. But the real kicker was how the attacker avoided detection: they weaponized the Windows kernel driver of a legitimate forensic toolset called EnCase to disable security products across the network. The attack technique is known as bring-your-own-vulnerable-driver (BYOVD) , which involves taking advantage of the elevated privileges and kernel-level access of a driver to terminate security processes before an intrusion is detected. Threat actors have increasingly used drivers to disable endpoint detection and response (EDR) platforms, often in ransomware attacks ; these tools are commonly known as EDR killers. The wrinkle with EnCase, developed by Guardian Software and initially released in 1998, is that the driver was quite old and lacked a valid digital signature. "The EnCase driver's certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit," Huntress's Anna Pham and Dray Agha wrote in the blog post. And ironically, the age of the EnCase driver gave the threat actor a significant advantage. More Drivers, More EDR Problems Driver Signature Enforcement is a Windows security feature, first introduced with Vista, that requires kernel drivers to be signed by a trusted certificate authority (CA). The feature is designed to prevent unsigned or modified drivers from being loaded by the OS. But as Pham and Agha noted in the blog post, there are significant security gaps with the feature. First, Windows doesn't check certificate revocation lists (CRLs) from CAs to see if a signature is still valid. "This limitation exists for practical reasons: drivers load early in the boot process before network services are available, and CRL checks would significantly impact boot performance," they wrote. Similarly, Microsoft introduced a policy with Windows 10 that requires new kernel drivers to be signed via its Hardware Dev Center. But to ensure backward compatibility, Microsoft allows drivers signed with certificates issued before July 29, 2015, to load, as long as the certificates are chained to a supported cross-signed CA. As a result, drivers with older certificates — even if they're expired or revoked — are still allowed to load in Windows. "This makes pre-2015 signed drivers highly valuable to attackers, because they bypass modern signing requirements, attackers don't need to submit drivers to Microsoft for verification," Pham, senior hunt and response analyst at Huntress, tells Dark Reading. As a result, threat actors specifically target older drivers for EDR killers. And if they can't find them, Pham says they exploit the loophole from another angle by using open source tools like HookSignTool to forge timestamps on newer malicious drivers to make them appear like they were signed before July 29, 2015. Unfortunately, there's no easy fix for preventing BYOVD attacks. Experts say that blocking legitimate drivers can negatively impact systems and even cause them to crash. Pham says Microsoft could potentially narrow the July 29, 2015, exception, though that could end up breaking legitimate legacy software that relies on the exemption. Other options include a cached CRL validation or post-boot verification, Pham says, but it's unclear how effective those mitigations would be. How the EDR Killer was Stopped Luckily, the intrusion in question was disrupted before the threat actor could deploy ransomware in the victim network. It also gave Huntress researchers an opportunity to dissect the attack and analyze the threat actor's tools. The EDR killer used by the threat actor in the intrusion is a 64-bit Windows executable that contains the EnCase driver and is disguised as a legitimate firmware update utility. The tool also used an interesting obfuscation technique; instead of encrypting the code, the developer used a custom wordlist-based substitution cipher that converted each byte of the driver into an English word. "This technique is particularly effective at evading static analysis tools, as the encoded payload appears to be nothing more than innocuous English text scattered throughout the binary's data section," Pham and Agha wrote. The binary also contains a list of 59 targeted processes for major cybersecurity vendors, including Microsoft, CrowdStrike, SentinelOne, Kaspersky, Sophos, and ESET. But there was one noticeable absence. "While the EDR killer targets nearly every major EDR and [antivirus] vendor on the market, the Huntress agent was not among the 59 processes targeted for termination," Pham and Agha wrote. Pham says the intrusion was first detected by Huntress's EDR platform when the threat actor deployed the binary on the endpoint. Huntress's managed SIEM ingested the SonicWall telemetry, which helped responders identify the initial access vector and trace the attack chain that preceded the endpoint activity. Huntress recommended several mitigation steps to prevent similar attacks, starting with multifactor authentication (MFA) enforcement for VPN accounts (Pham and Agha noted that the stolen credentials in this case were not protected with MFA ). The company also advised organizations to review VPN logs for suspicious patterns. To defend against BYOVD attacks, Huntress urged organizations to implement Microsoft's recommended driver block rules via Windows Defender Application Control (WDAC), and to enable Hypervisor-protected Code Integrity (HVCI) in Windows to ensure Microsoft's Vulnerable Driver Blocklist is enforced. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright