Hackers Exploit Raw Disk Reads to Evade EDR Detection

Endpoint Detection and Response (EDR) solutions have become the cornerstone of enterprise security.

Yet a recent proof-of-concept exploit demonstrates that raw disk reads—long considered a benign low-level operation—can be weaponized to bypass multiple layers of defense, including file locks, access controls, and runtime mitigations.

The technique, detailed by Christopher Ellis and the Workday Offensive Security team, relies on exposing a vulnerable driver or leveraging built-in Windows drivers to perform unmediated reads of the physical disk, allowing attackers to extract sensitive artifacts without touching files via standard APIs.

At the heart of this method is a kernel driver (eudskacs.sys, tracked as CVE-2025-50892) that exposes raw disk I/O primitives to user space.

By opening a handle to the disk device (e.g., DeviceHarddisk0DR0) and issuing IRP_MJ_READ requests directly to disk.sys (or storport.sys), an adversary can retrieve arbitrary sectors.

Once raw sectors are obtained, a custom NTFS parser reads the Volume Boot Record (VBR) to locate the Master File Table (MFT), then parses $DATA attributes and data runs to reconstruct files such as SAM.hive, SYSTEM.hive, or NTDS.dit—all while avoiding ACL checks, exclusive locks, Virtualization-Based Security (VBS), and Windows Resource Protection (WRP).

This subversion of EDR hinges on the fact that most EDR agents hook high-level file APIs (NtCreateFile, NtReadFile) to monitor filesystem access.

Raw sector reads, however, manifest as generic disk I/O, obscuring the intent to read a specific protected file.

Likewise, Windows auditing (Event ID 4663) only logs named file access, leaving raw read operations invisible by default.

Defensive and Developmental Imperatives

Defenders face limited practical countermeasures against this low-level attack.

The most effective mitigations include:

• Driver blocklists and App Control policies to prevent vulnerable or unsigned driver installation.
• Full disk encryption (e.g., BitLocker) to render raw sectors unreadable without keys.
• Least-privilege administration to restrict who can open handles to disk.sys.
• Sysmon Event ID 9 monitoring for RawAccessRead, albeit with noise challenges.
• Auditing CreateFile calls on device objects to flag suspicious driver interactions.

From a development standpoint, driver authors must adopt security best practices: assign restrictive SDDL ACLs when calling WdfDeviceInitAssignSDDLString (never default to WD generic access), rigorously validate all user-supplied offsets and parameters, and leverage Driver Verifier during testing to catch I/O, memory, and IRQL violations.

Pool tags and careful buffer management further harden drivers against exploitation.

This exploit serves as a reminder that true defense-in-depth must include scrutiny of every driver in the environment—especially those offering disk-level functionality.

As AI-assisted coding lowers the barrier to crafting raw-disk parsers, organizations must proactively inventory, audit, and enforce strict controls on drivers to prevent adversaries from wielding raw disk reads as a stealthy weapon.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Hackers Exploit Raw Disk Reads to Evade EDR Detection appeared first on Cyber Security News.