Redazione RHC : 5 September 2025 16:59
A recent study conducted by Workday’s Offensive Security team highlighted a vulnerability in Windows drivers that effectively bypasses Endpoint Detection and Response (EDR) tools.
This technique exploits direct disk reading, bypassing access controls, file locks, and security measures such as Virtualization-Based Security (VBS) and Credential Guard. The identified vulnerable driver, eudskacs.sys, exposes simple code structures that allow direct reading of the physical disk, allowing access to sensitive files without directly interacting with them.
Traditionally, Windows implements several defenses to protect sensitive data. For example, credential files such as SAM.hive and SYSTEM.hive are protected by Access Control Lists (ACLs) and exclusive locks that prevent simultaneous access by multiple processes.
Additionally, VBS and Credential Guard isolate the LSASS process in a virtualized container, making it more difficult to extract credentials from memory. However, direct disk access circumvents these controls, as it does not require the use of standard file access APIs and does not generate system logs.
To perform a direct disk read attack, an attacker can exploit a vulnerable driver or use low-level drivers such as disk.sys. The process involves opening a handle to the physical disk driver, sending read requests, and receiving the raw data. Once the data is obtained, an NTFS file system parser is needed to extract the desired files. This technique is particularly effective for extracting sensitive files because it does not interact directly with the files themselves and therefore does not trigger security controls.
One of the main challenges, researchers report, in implementing this technique is the need to understand the structure of the NTFS file system. Elements such as the Master Boot Record (MBR), the GUID Partition Table (GPT), and the Volume Boot Record (VBR), which contain crucial information about the layout of data on the disk. Direct disk access allows you to bypass access controls and read this data without restrictions, making it easier to extract sensitive information.
To counter this threat, it is essential to adopt preventative security measures. Limiting administrative privileges is one of the most effective strategies, as it reduces the ability of an attacker to install malicious drivers or directly access the physical disk. Furthermore, monitoring API calls such as CreateFile, especially when they interact with low-level drivers, can help detect suspicious activity. Implementing these measures can help reduce the risk associated with this vulnerability.
In summary, direct disk access is a powerful technique for evading traditional security tools. Understanding Windows driver vulnerabilities and taking appropriate security measures are essential steps to protecting systems from sophisticated attacks. Organizations should regularly review their drivers and implement security controls to mitigate the risks associated with this threat.
Redazione