Attackers can bypass Endpoint Detection and Response (EDR) tools and file locks by reading raw disk sectors directly, highlighting the urgent need for organizations to audit and secure the drivers installed on their Windows systems.
In modern Windows environments, drivers provide low-level access to hardware and disk functions.
A recent investigation by Workday’s Offensive Security team uncovered how a default or vulnerable driver can be abused to read raw disk data and extract sensitive files—such as the SAM hive, SYSTEM hive, and NTDS.dit—without triggering EDR alerts or standard file-access controls.
At the heart of this technique is a vulnerable driver (CVE-2025-50892) named eudskacs.sys, which exposes a simple interface for raw disk reads.
By opening a handle to the driver, an attacker can specify a byte offset and length. The driver forwards this request down the Windows driver stack—through disk.sys, storport.sys, and the hardware’s miniport driver—to read the actual disk sectors.
The data flows back up to the attacker without ever opening the target files directly.
Because this approach uses raw sector reads rather than the usual file APIs (such as CreateFile and ReadFile), it sidesteps multiple defenses:
- Access Control Lists (ACLs): The attack ignores file-level ACLs that normally restrict access to SYSTEM-only files.
- Exclusive File Locking: Locked files like the SAM hive remain unreadable via standard APIs, but raw reads are uninhibited.
- Virtualization-Based Security (VBS) and Credential Guard: These protect LSASS memory but do not stop raw disk reads.
- Windows Resource Protection (WRP): Prevents unauthorized modifications but not direct reads of disk sectors.
- EDR Kernel Hooks: Most EDRs hook functions like NtReadFile. Raw disk reads occur at a lower level, so EDRs see only “read sector X” commands, not “read file SAM.”
- Windows Auditing: Object Access Auditing logs file-based access but not sector-level operations.
Once an attacker obtains raw disk data, they must parse the NTFS file system. This involves reading the Master Boot Record (MBR) or GUID Partition Table (GPT) to locate partitions, then reading the Volume Boot Record (VBR) to find the Master File Table (MFT).
The MFT records contain metadata and pointers (data runs) to file contents. By decoding data runs—header byte, run length, and run offset—attackers can calculate Logical Block Addresses (LBAs) for each file’s clusters, then issue further raw reads to assemble complete files.
While writing an NTFS parser can be complex, open-source projects like raw-disk-parser make the task easier.
Even without installing a third-party driver, an administrator-level user can open a handle to disk.sys directly and achieve the same result.
Defensive Recommendations:
- Audit Drivers: Regularly review installed drivers and remove any that are unnecessary or have overly permissive Security Descriptors.
- Enforce Strict SDDL: Ensure drivers require administrative privileges (restrict “D:P(A;;GA;;;WD)” or similar broad SDDL strings).
- Monitor Sector Reads: Enhance EDRs and SIEMs to detect unusual patterns of raw disk reads or high volumes of sector-level I/O requests.
- Harden Privileges: Limit the number of users with administrative rights who can access disk.sys or install drivers.
By understanding and securing driver interfaces, organizations can close this stealthy attack vector and protect their most sensitive data.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
