They Got In Through SonicWall. Then They Tried to Kill Every Security Tool

Key Takeaways

• Threat actors compromised SonicWall SSLVPN credentials to gain initial access to the victim network.
• Attackers deployed an EDR killer using a Bring Your Own Vulnerable Driver (BYOVD) technique with a revoked EnCase forensic driver (EnPortv.sys).
• The EDR killer uses a novel 256-word dictionary substitution cipher to encode the driver payload, effectively evading static and entropy-based analysis.
• The malware establishes persistence as a kernel service named 'OemHwUpd' and timestomps the dropped driver using ntdll.dll to blend in.
• The driver exposes IOCTL 0x223078 to terminate 59 different security processes from kernel mode, bypassing usermode protections like Protected Process Light (PPL).

Affected Systems

• SonicWall SSLVPN
• Windows OS
• Endpoint Detection and Response (EDR) Agents
• Antivirus (AV) Software

Attack Chain

The attacker gained initial access by authenticating to a SonicWall SSLVPN using compromised credentials. After conducting aggressive network reconnaissance via ICMP, NetBIOS, and SMB probes, they executed an EDR killer masquerading as a legitimate process (C:\Users\Public\svchost.exe). This binary decoded an embedded EnCase forensic driver using a custom wordlist cipher, dropped it to C:\ProgramData\OEM\Firmware\OemHwUpd.sys, and timestomped it to match ntdll.dll. Finally, the malware registered the driver as a kernel service and continuously sent target PIDs via IOCTL 0x223078 to terminate 59 different security products from kernel mode.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Elastic Security (ES|QL)

The article includes a screenshot demonstrating an ES|QL query used to filter SonicWall VPN authentication logs by source IP and event code.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the initial execution and service creation, but once the vulnerable driver is loaded, it terminates the EDR process from kernel mode, blinding further visibility. Network Visibility: Medium — Network telemetry can identify the initial VPN compromise and subsequent aggressive internal reconnaissance (ping sweeps, SYN floods). Detection Difficulty: Moderate — The custom wordlist encoding evades static signatures and entropy checks, making payload detection hard. However, the service creation with a specific name and the loading of a known vulnerable driver provide solid behavioral detection opportunities.

Required Log Sources

• VPN Authentication Logs
• Windows System Event Log (Event ID 7045 - Service Creation)
• Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
• Driver Load Logs (Sysmon Event ID 6)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Windows service creation events where the service name is 'OemHwUpd' or the binary path points to 'C:\ProgramData\OEM\Firmware'.	Windows System Event Log (Event ID 7045)	Persistence	Low
Hunt for processes named 'svchost.exe' executing from anomalous directories such as 'C:\Users\Public'.	Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)	Execution	Low
Monitor for the loading of drivers with expired certificates or known vulnerable hashes (e.g., EnPortv.sys) using driver load events.	Sysmon Event ID 6 (Driver Loaded)	Defense Evasion	Medium
Investigate VPN authentication logs for successful logins immediately following denied access attempts from different geographic locations or IPs.	VPN Authentication Logs	Initial Access	Medium

Control Gaps

• Driver Signature Enforcement (DSE) does not check Certificate Revocation Lists (CRLs)
• Lack of MFA on SSLVPN accounts

Key Behavioral Indicators

• Service creation: OemHwUpd
• File creation: C:\ProgramData\OEM\Firmware\OemHwUpd.sys
• Execution of svchost.exe from C:\Users\Public\
• Timestomping of .sys files matching ntdll.dll timestamps

False Positive Assessment

• Low. The specific combination of the OemHwUpd service name, the EnCase driver hash, and the custom wordlist encoding is highly specific to this threat actor's EDR killer.

Recommendations

Immediate Mitigation

• Quarantine affected systems to prevent further lateral movement or ransomware deployment.
• Block the identified threat actor IPs (69.10.60.250, 193.160.216.221) at the firewall.
• Search for and remove the OemHwUpd service and associated driver file.

Infrastructure Hardening

• Enable MFA on all remote access services, including SonicWall SSLVPN.
• Enable Hypervisor-Protected Code Integrity (HVCI) / Memory Integrity to enforce the Microsoft Vulnerable Driver Blocklist.
• Deploy Microsoft's recommended driver block rules via Windows Defender Application Control (WDAC).

User Protection

• Enable the Attack Surface Reduction (ASR) rule 'Block abuse of exploited vulnerable signed drivers' to prevent applications from writing vulnerable drivers to disk.

Security Awareness

• Review VPN authentication logs for anomalous login patterns and denied access attempts preceding successful authentication.

MITRE ATT&CK Mapping

• T1133 - External Remote Services
• T1046 - Network Service Discovery
• T1027 - Obfuscated Files or Information
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1070.006 - Indicator Removal: Timestomp
• T1543.003 - Create or Modify System Process: Windows Service

Additional IOCs

• File Paths:
  • C:\Users\Public\svchost.exe - File path of the EDR killer executable observed in EDR telemetry.
• Other:
  • OemHwUpd - Windows service name created by the malware for driver persistence.
  • OEM Hardware HAL Service - Display name of the malicious Windows service.
  • 0x223078 - IOCTL code (KillProc) used by the usermode component to send target PIDs to the kernel driver for termination.