Brinztech Alert: New Technique Allows Hackers to Bypass EDR Using Raw Disk Reads

Threat Technique Analysis

Security researchers have detailed a potent new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches. A report from Workday’s Offensive Security team explains how a malicious actor can sidestep Endpoint Detection and Response (EDR) solutions, file permissions, and other critical protections by reading data directly from a computer’s raw disk to steal credential files and other sensitive data.

The method is particularly stealthy because it avoids standard file-access procedures that are typically monitored by security software. Instead of opening a file by name, the attack involves communicating directly with low-level disk drivers to request raw data from a specific physical location on the disk, leaving no trace in default system logs.  

Key Insights

This technique highlights a significant gap in many organizations’ security visibility:

• Bypasses EDR and File Permissions: The core of the attack is that it never makes a standard operating system request to “open” a sensitive file by its name. Instead of an alert-worthy event like “malware.exe accessed SAM file,” a security tool might only see a benign-looking request to “read sector 12345.” This allows the technique to evade file access controls, exclusive file locks, and even advanced defenses like Virtualization-Based Security (VBS).  
• A Stealthy Attack with No Default Logs: This technique leaves no evidence of its activity in the default Windows system or security logs. The absence of logs makes post-breach forensic investigation extremely difficult, as there is no record of the sensitive files ever being “accessed” through normal channels.
• Multiple Pathways to Exploitation: The attack is versatile. An attacker who has already gained administrative privileges can perform this attack using built-in Windows drivers. Alternatively, an attacker with fewer privileges can achieve the same result by exploiting a vulnerable third-party driver (in a “Bring Your Own Vulnerable Driver” or BYOVD attack) to gain the necessary kernel-level access to the disk.  

Mitigation Strategies

Protecting against such a low-level attack is challenging but achievable with a defense-in-depth strategy:

• Implement Full Disk Encryption: This is the most effective defense. Using tools like Microsoft BitLocker encrypts the data at rest on the disk. Even if an attacker successfully reads the raw sectors from the disk, the data they acquire will be unreadable ciphertext without the decryption key.  
• Enforce the Principle of Least Privilege: Limiting the number of administrative accounts on endpoints makes it significantly harder for an attacker to gain the high-level privileges needed to easily interact with disk drivers or to install a vulnerable driver.
• Enable Advanced Monitoring for Raw Disk Access: While default logs are blind to this, advanced monitoring tools like Microsoft’s Sysmon can be specifically configured to detect and log raw disk read events (Event ID 9). Security teams can then create alerts based on this telemetry, though careful filtering may be required to manage noise.  
• Implement Driver Vetting and Blocklisting: To counter the BYOVD variation of this attack, organizations should utilize security features like Microsoft’s recommended driver blocklist. This prevents known-vulnerable drivers from being loaded into the kernel, closing the loophole that attackers exploit.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com