In a recent incident, attackers abused a legitimate but vulnerable Windows kernel driver to shut down endpoint security tools during an ongoing incident response. According to a Huntress report, the activity was observed during a customer investigation in early 2026 and involved the use of an old EnCase forensic driver (by Guidance Software) as part of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Endpoint Detection and Response (EDR) processes from kernel mode. The intrusion began with compromised SonicWall SSL VPN credentials, after which the attacker conducted internal reconnaissance and deployed a custom “EDR killer” binary. “The attack was disrupted before ransomwa...