Cybercriminals are increasingly turning trusted software against defenders, according to new research from Huntress, which has uncovered a real-world attack in which threat actors used a legitimate but vulnerable driver to disable endpoint security tools before deploying further malicious activity.
In a detailed incident response analysis, Huntress researchers observed attackers abusing an outdated EnCase forensic driver as part of a technique known as Bring Your Own Vulnerable Driver (BYOVD). The approach allowed the attackers to gain kernel-level access on compromised systems and systematically terminate endpoint detection and response (EDR) processes designed to stop them.
Killing Security Tools Before Launching the Attack
Rather than immediately deploying malware or ransomware, the attackers focused first on neutralising defensive controls. By loading the vulnerable driver, they were able to issue kernel-level commands, which are among the most privileged areas of the operating system, thereby blinding security tools running on the endpoint.
According to Huntress, this method highlights a growing trend in which attackers prioritise disabling security products before executing their primary objectives, reducing the likelihood of detection and response.
“This wasn’t a proof-of-concept or lab exercise,” Huntress noted. “The technique was identified during an active intrusion, giving defenders a rare look at how attackers are adapting their tactics to bypass modern endpoint protections.”
Weaponising Trusted Software
The driver used in the attack originated from legitimate forensic software and carried a valid digital signature, despite its certificate having expired years earlier. Because Windows systems may still load such drivers under certain conditions, attackers can exploit known vulnerabilities to carry out malicious actions.
Huntress warned that this tactic exposes a significant blind spot for organisations that rely heavily on endpoint security tools but do not enforce strict driver control policies.
“Attackers don’t always need custom malware when they can repurpose trusted components already recognised by the operating system,” the researchers explained.
Implications for Defenders
The incident underscores the importance of hardening systems beyond traditional endpoint protection alone. Huntress recommends that organisations review their use of driver block lists, enable virtualisation-based security features such as memory integrity, and ensure strong authentication, including multi-factor authentication, is enforced on remote access points.
As attackers continue to adopt BYOVD techniques, defenders may need to rethink assumptions about what constitutes “trusted” software within their environments.
Huntress researchers say they expect similar techniques to become more common as threat actors seek reliable ways to evade detection and disable security controls early in the attack lifecycle.
