Sign up to save your podcasts
Or
Share Raw Disk Access and the Subversion of EDR Visibility
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Raw Disk Access and the Subversion of EDR Visibility
Source: https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
Author : Christopher EllisAnalysis of a highly advanced Endpoint Detection and Response (EDR) evasion technique that leverages raw disk reads to bypass security monitoring.
It explains that EDR systems rely on hooking high-level Operating System (OS) Application Programming Interfaces (APIs) to gain visibility, but raw disk access circumvents this by interacting directly with low-level disk drivers.
The report details the attack mechanics, which often require kernel-level privilege escalation via the Bring Your Own Vulnerable Driver (BYOVD) method, allowing attackers to reconstruct sensitive files like credential stores without triggering file access logs.
Furthermore, the text outlines robust defense-in-depth strategies, emphasizing the need for Full-Disk Encryption (FDE) and deploying specialized low-level monitoring tools like Sysmon to detect the resulting "RawAccessRead" events.
Ultimately, the source argues that defense must shift toward hardware-assisted security to counter the trend of adversaries moving "down the stack."
View all episodes
By 🅱🅴🅽🅹🅰🅼🅸🅽 🅰🅻🅻🅾🆄🅻 𝄟 🅽🅾🆃🅴🅱🅾🅾🅺🅻🅼Source: https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
Author : Christopher EllisAnalysis of a highly advanced Endpoint Detection and Response (EDR) evasion technique that leverages raw disk reads to bypass security monitoring.
It explains that EDR systems rely on hooking high-level Operating System (OS) Application Programming Interfaces (APIs) to gain visibility, but raw disk access circumvents this by interacting directly with low-level disk drivers.
The report details the attack mechanics, which often require kernel-level privilege escalation via the Bring Your Own Vulnerable Driver (BYOVD) method, allowing attackers to reconstruct sensitive files like credential stores without triggering file access logs.
Furthermore, the text outlines robust defense-in-depth strategies, emphasizing the need for Full-Disk Encryption (FDE) and deploying specialized low-level monitoring tools like Sysmon to detect the resulting "RawAccessRead" events.
Ultimately, the source argues that defense must shift toward hardware-assisted security to counter the trend of adversaries moving "down the stack."