Full Report
ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers
Analysis Summary
# Tool/Technique: EDR Killers (Ecosystem & BYOVD)
## Overview
EDR killers are specialized tools used by threat actors—primarily ransomware affiliates—to disrupt, disable, or bypass Endpoint Detection and Response (EDR) and Antivirus (AV) solutions. By neutralizing security software, attackers create a "safe" window to deploy payloads like encryptors without detection. The ecosystem has evolved from simple Proof of Concept (PoC) scripts to commercialized, hardened software products.
## Technical Details
- **Type:** Malware / Tooling / Technique
- **Platform:** Windows (primarily, due to driver architecture)
- **Capabilities:** Process termination, service suspension, driver exploitation, telemetry blocking, and Safe Mode manipulation.
- **First Seen:** Continuous evolution; ESET research tracks ~90 variants active in modern intrusions.
## MITRE ATT&CK Mapping
- **TA0004 - Privilege Escalation**
- **T1068** - Exploitation for Privilege Escalation
- **TA0005 - Defense Evasion**
- **T1562.001** - Impair Defenses: Disable or Modify Tools
- **T1562.009** - Impair Defenses: Safe Mode Boot
- **T1562.006** - Impair Defenses: Indicator Blocking (Driverless)
- **T1027** - Obfuscated Files or Information
- **T1070.004** - Indicator Removal: File Deletion
- **TA0040 - Impact**
- **T1489** - Service Stop
- **T1490** - Inhibit System Recovery
## Functionality
### Core Capabilities
- **BYOVD (Bring Your Own Vulnerable Driver):** The most dominant technique where a legitimate, signed but vulnerable driver is installed to gain kernel-level access (Ring 0).
- **Process/Service Interference:** Terminating security processes or stopping protected services that are otherwise shielded by user-mode permissions.
- **Anti-Rootkit Abuse:** Leveraging legitimate tools (e.g., GMER, PC Hunter) for malicious purposes to unhook or terminate security processes.
### Advanced Features
- **Driverless Disruption:** Manipulating network traffic or Windows Filter Platform (WFP) to block EDR communication with the cloud (e.g., EDRSilencer).
- **Hardened Commercial Kits:** Implementation of VMProtect, Themida, and custom control-flow flattening to hinder analysis.
- **Safe Mode Manipulation:** Scripting reboots into Safe Mode where many EDR drivers do not load, allowing for file deletion.
- **AI-Assisted Development:** Suspected use of LLMs to generate exploit code or scripts (noted in the Warlock gang's activities).
## Indicators of Compromise
### File Names (Common/Examples)
- `EDRSilencer.exe`
- `CardSpaceKiller.exe`
- `SmilingKiller.exe`
- Vulnerable drivers often misused: `dbutil_2_3.sys`, `RTCore64.sys`, `ene.sys`.
### Behavioral Indicators
- Loading of known vulnerable drivers not associated with the system's hardware.
- Unexpected system reboots into Safe Mode via `bcdedit` manipulation.
- Massive termination of processes associated with security vendors (CrowdStrike, SentinelOne, Microsoft Defender, etc.).
- Execution of `fltmc.exe` to detach filesystem filters.
## Associated Threat Actors
- **Ransomware Affiliates:** These tools are typically chosen by affiliates rather than the RaaS operators.
- **Warlock Gang:** Specifically linked to potentially AI-assisted EDR killer development.
- **Broad Ransomware Ecosystem:** Used by virtually all major groups (LockBit, BlackCat/ALPHV, etc.) as a standard pre-encryption stage.
## Detection Methods
- **Signature-based:** Blocking known vulnerable driver hashes (e.g., via Microsoft’s driver blocklist).
- **Behavioral:**
- Monitoring for `bcdedit` commands used to force Safe Mode.
- Tracking unauthorized attempts to stop system services.
- Detecting the loading of drivers with a low prevalence in the environment.
- **YARA Rules:** Focus on strings related to security product process names (e.g., `MsSense.exe`, `CBRender.exe`) found within unknown binaries.
## Mitigation Strategies
- **Driver Blocklisting:** Implement the Microsoft Vulnerable Driver Blocklist or local policy-based blocking of known malicious/vulnerable hashes.
- **HVCI/VBS:** Enable Hypervisor-Protected Code Integrity (HVCI) to prevent the loading of unsigned or malicious drivers.
- **Hardened EDR Policy:** Enable tamper protection features that prevent service stops and process termination even with high-level privileges.
- **Least Privilege:** Restrict administrative access to prevent the initial installation of the EDR killer tool.
## Related Tools/Techniques
- **EDRSilencer:** A driverless tool for blocking telemetry.
- **HeartCrypt / VX Crypt:** Packers used as a service to protect EDR killers.
- **Backstab / PPLKiller:** Specific PoCs often forked and adapted by attackers.