A new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches.
A report from Workday’s Offensive Security team explains how, by reading data directly from a computer’s raw disk, a malicious actor can sidestep Endpoint Detection and Response (EDR) solutions, file permissions, and other critical protections to steal credential files.
The method avoids standard file-access procedures that are typically monitored by security software. Instead of opening a file by name, the attack involves communicating directly with low-level disk drivers.
An attacker with administrator rights can use built-in Windows drivers, or a user with fewer privileges could exploit a vulnerable third-party driver, to request raw data from a specific location on the physical disk.
This approach is particularly stealthy because the attack never requests a sensitive file like the SAM hive by name. Instead, it asks for the data at a particular sector address.
This means many security systems, which look for malicious file access by name, are blind to the activity. The EDR solution might see a request to “read sector 12345” instead of an alert-worthy attempt to “open the system’s password file.
” This allows the technique to evade file access controls, exclusive file locks, and even advanced defenses like Virtualization-Based Security (VBS). Furthermore, it leaves no trace in the default system logs.
How the Attack Works
After an attacker obtains the raw disk data, they must parse it to reconstruct the target file.
This process involves interpreting the NTFS file system structure, starting from the Master Boot Record to find the disk partition, then locating the Master File Table (MFT), which serves as a directory for the entire volume.
By reading the MFT, the attacker can pinpoint the exact physical location of any file’s data, read it in clusters, and reassemble it—all without ever officially “opening” the file through the operating system.
The Workday team demonstrated this attack by leveraging a vulnerability (assigned CVE-2025–50892) in a driver that improperly exposed this raw read capability.
However, they emphasize that any user with administrative privileges can perform this attack without needing a vulnerable driver, making it a relevant threat in many corporate environments.
Protecting against such a low-level attack is challenging, as it bypasses security layers that many organizations depend on. The researchers recommend a “defense in depth” strategy incorporating several measures:
- Full Disk Encryption: Using tools like BitLocker makes the raw data on the disk unreadable without the encryption key, significantly hampering this attack.
- Restrict Privileges: Limiting administrative access makes it harder for attackers to interact directly with disk drivers or install new malicious ones.
- Monitor for Raw Access: Advanced monitoring with tools like Microsoft’s Sysmon can be configured to detect raw disk read events (Event ID 9), though this may require careful filtering to manage alerts.
- Driver Vetting: Organizations should actively monitor for the installation of unsigned or known-vulnerable drivers using resources like Microsoft’s recommended driver blocklist.
The researchers conclude that while the concept of raw disk access is not new, its proven effectiveness against modern EDRs highlights a significant gap in security visibility.
As sophisticated hacking techniques become more accessible, organizations must understand and defend against threats that operate below the surface of the typical operating system.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
