{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/encase/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Defender Antivirus","Huntress EDR","SonicWall VPN"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","byovd"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SonicWall","EnCase","Huntress"],"content_html":"\u003cp\u003eThreat actors are increasingly focusing on impairing or disabling endpoint security controls to operate undetected within compromised environments. This activity involves techniques such as creating malicious Windows Firewall rules to block EDR communications (using tools like EDRSandblast and EDRSilencer), escalating privileges to uninstall agents, and exploiting vulnerable drivers (BYOVD) to gain kernel-mode access. The objective is to create a \u0026ldquo;dark zone\u0026rdquo; where they can establish footholds, move laterally, exfiltrate data, and deploy ransomware without visibility to IT and security teams. In early February 2026, Huntress observed threat actors deploying a sophisticated \u0026ldquo;EDR Killer\u0026rdquo; binary, abusing a revoked EnCase forensic driver. This trend signifies a shift from mere evasion to active destruction of security stacks, demanding enhanced detection and response strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Threat actor gains initial access via compromised credentials (e.g., SonicWall VPN).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Attempts to escalate privileges to administrator level to gain greater control over the system.\u003c/li\u003e\n\u003cli\u003eDisable Defender: Attempts to disable Microsoft Defender Antivirus by abusing Windows Firewall rules and creating exclusions.\u003c/li\u003e\n\u003cli\u003eEDR Agent Uninstall: Attempts to uninstall the EDR agent using Add/Remove Programs or command-line execution.\u003c/li\u003e\n\u003cli\u003eBYOVD Deployment: Drops a legitimate but vulnerable, digitally signed driver (e.g., EnCase forensic driver).\u003c/li\u003e\n\u003cli\u003eKernel Exploitation: Exploits the driver vulnerability to gain kernel-mode access.\u003c/li\u003e\n\u003cli\u003eProcess Termination: Uses kernel-mode access to terminate protected EDR processes and unhook security monitoring.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Impact: Establishes persistence, moves laterally, exfiltrates data, and deploys ransomware with no visibility.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of AV and EDR solutions allows threat actors to operate with impunity within compromised networks. This can lead to significant data breaches, financial losses, and reputational damage. The use of BYOVD techniques, as seen in the February 2026 incident, allows attackers to bypass common endpoint security measures and establish a persistent foothold. The impact is a \u0026ldquo;dark zone\u0026rdquo; where standard security monitoring tools are ineffective, allowing attackers to achieve their objectives without detection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious process creation events associated with disabling or modifying Windows Defender settings (Sigma rule: Defender Exclusion Modification).\u003c/li\u003e\n\u003cli\u003eDetect the execution of known tools used for creating malicious firewall rules, such as those employed by EDRSandblast and EDRSilencer, using process creation logs (Sigma rule: Suspicious Firewall Rule Creation).\u003c/li\u003e\n\u003cli\u003eEnable driver signature enforcement and monitor for the loading of known vulnerable drivers to detect BYOVD attacks (Sysmon driver load events).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:14:13Z","date_published":"2026-05-18T17:14:13Z","id":"https://feed.craftedsignal.io/briefs/2026-05-av-edr-disable/","summary":"Threat actors are actively disabling antivirus and EDR solutions through abusing Windows Firewall rules, uninstalling agents, and exploiting vulnerable drivers (BYOVD) to establish persistence, move laterally, and deploy ransomware undetected.","title":"Threat Actors Disabling AV and EDR Solutions","url":"https://feed.craftedsignal.io/briefs/2026-05-av-edr-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — EnCase","version":"https://jsonfeed.org/version/1.1"}