Threat Actors Disabling AV and EDR Solutions

Threat actors are increasingly focusing on impairing or disabling endpoint security controls to operate undetected within compromised environments. This activity involves techniques such as creating malicious Windows Firewall rules to block EDR communications (using tools like EDRSandblast and EDRSilencer), escalating privileges to uninstall agents, and exploiting vulnerable drivers (BYOVD) to gain kernel-mode access. The objective is to create a “dark zone” where they can establish footholds, move laterally, exfiltrate data, and deploy ransomware without visibility to IT and security teams. In early February 2026, Huntress observed threat actors deploying a sophisticated “EDR Killer” binary, abusing a revoked EnCase forensic driver. This trend signifies a shift from mere evasion to active destruction of security stacks, demanding enhanced detection and response strategies.

Attack Chain

1. Initial Access: Threat actor gains initial access via compromised credentials (e.g., SonicWall VPN).
2. Privilege Escalation: Attempts to escalate privileges to administrator level to gain greater control over the system.
3. Disable Defender: Attempts to disable Microsoft Defender Antivirus by abusing Windows Firewall rules and creating exclusions.
4. EDR Agent Uninstall: Attempts to uninstall the EDR agent using Add/Remove Programs or command-line execution.
5. BYOVD Deployment: Drops a legitimate but vulnerable, digitally signed driver (e.g., EnCase forensic driver).
6. Kernel Exploitation: Exploits the driver vulnerability to gain kernel-mode access.
7. Process Termination: Uses kernel-mode access to terminate protected EDR processes and unhook security monitoring.
8. Lateral Movement/Impact: Establishes persistence, moves laterally, exfiltrates data, and deploys ransomware with no visibility.

Impact

Successful disabling of AV and EDR solutions allows threat actors to operate with impunity within compromised networks. This can lead to significant data breaches, financial losses, and reputational damage. The use of BYOVD techniques, as seen in the February 2026 incident, allows attackers to bypass common endpoint security measures and establish a persistent foothold. The impact is a “dark zone” where standard security monitoring tools are ineffective, allowing attackers to achieve their objectives without detection.

Recommendation

• Monitor for suspicious process creation events associated with disabling or modifying Windows Defender settings (Sigma rule: Defender Exclusion Modification).
• Detect the execution of known tools used for creating malicious firewall rules, such as those employed by EDRSandblast and EDRSilencer, using process creation logs (Sigma rule: Suspicious Firewall Rule Creation).
• Enable driver signature enforcement and monitor for the loading of known vulnerable drivers to detect BYOVD attacks (Sysmon driver load events).