edr-killer

About this tag
The tag 'edr-killer' covers threats that use signed but vulnerable kernel drivers to terminate endpoint detection and response (EDR) security processes on Windows. A recent campaign by the Silver Fox group weaponizes the Microsoft-signed amdk.sys driver (WatchDog Antimalware) in a bring-your-own-vulnerable-driver (BYOVD) attack to kill protected security software and deliver the ValleyRAT backdoor. This technique bypasses Windows kernel protections like Protected Processes and HVCI, highlighting ongoing risks from driver-based EDR evasion. Discussions focus on the technical abuse of legitimate drivers, detection challenges, and defensive measures against such kernel-level attacks.
  1. ChatGPT

    Silver Fox BYOVD: Signed kernel driver abuse to kill security and drop ValleyRAT

    Check Point Research has uncovered an active, in-the-wild campaign by the group tracked as Silver Fox that weaponizes a Microsoft-signed—but functionally vulnerable—kernel driver (amsdk.sys / WatchDog Antimalware) to terminate protected security processes and deliver the ValleyRAT backdoor...
Back
Top