For years, Endpoint Detection and Response (EDR) has been considered one of the main defense technologies against cyber threats, thanks to its ability to provide near real-time visibility and response on endpoints. However, recent ransomware campaigns reveal a harsh reality: EDR, when used as the sole line of defense, can be easily neutralized.
The DeadLock ransomware group exploited a structural weakness using a well-established technique known as Bring Your Own Vulnerable Driver (BYOVD). This method allows attackers to load legitimate but vulnerable drivers to execute code at the kernel level and disable endpoint protection mechanisms.
This is no longer an approach limited to Red Team exercises or research environments; it has become an operational technique adopted by financially motivated cybercriminals to directly target endpoint defenses.
What Happened: The Kernel-Level Kill Switch
A concrete example of this issue is the vulnerability CVE-2024-51324, found in a legitimate, signed driver from Baidu Antivirus, which does not require the product to be installed on the system. This flaw provided attackers with an effective way to disable EDR and antivirus solutions.
The observed attack chain unfolds as follows:
- Exploitation of a Legitimate Driver
Attackers introduced a genuine but vulnerable Baidu Antivirus driver, BdApiUtil.sys, often renamed to evade detection (e.g., DriverGay.sys or googleApiUtil64.sys). The GOLD SALEM group has also been observed exploiting the same vulnerability. - Improper Privilege Management
CVE-2024-51324, classified as CWE-269 (Improper Privilege Management), resides in the driver’s internal logic. Although installation requires administrative privileges, once loaded, the driver accepts requests from processes run by non-privileged users. - Arbitrary Process Termination
The ransomware loader (e.g., EDRGay.exe) sends a request via DeviceIoControl () using IOCTL code 0x800024b4. The driver interprets this as a valid command to terminate a process. - Complete Defense Bypass
Operating at the kernel level, the driver calls ZwTerminateProcess() without checking the caller’s privileges. This allows attackers to immediately terminate EDR and antivirus services, bypassing user-mode self-protection mechanisms.
Once endpoint defenses are neutralized, attackers—often having gained initial access through compromised legitimate credentials—can act undisturbed. Subsequent steps include using PowerShell scripts to disable Windows Defender, stopping backup services, and deleting shadow volume copies, making recovery extremely difficult before deploying the DeadLock ransomware payload.
EDR’s Weakness: The Agent’s Blind Spot
BYOVD attacks highlight an inherent limitation of EDR: its reliance on a software agent residing on the endpoint. If a malicious actor exploits a legitimate, signed component to operate at the kernel level, they can silence that agent and completely remove visibility at the most critical moment of the attack.
In these scenarios, EDR does not fail due to lack of functionality, it is deliberately rendered inoperative. The endpoint is effectively left without detection capabilities.
Why EDR Alone Isn’t Enough: The Role of MDR
Countering multi-stage attacks like those attributed to DeadLock requires a shift in approach. Defense cannot rely solely on a product but on an adversary-oriented, layered operational model. This is where MDR (Managed Detection and Response) comes into play.
EDR remains essential for telemetry collection, but MDR introduces a decisive element: specialized human analysis capable of correlating events and identifying weak signals that precede agent elimination.
Specifically, an MDR service enables:
- Detecting and Correlating the Entire Attack Chain
MDR doesn’t limit itself to alerts generated by the EDR agent; it correlates events from endpoints, identities, networks, and system logs. In campaigns like DeadLock, this means spotting early indicators such as unusual use of legitimate accounts, registry changes enabling RDP, installation of remote access software, or suspicious PowerShell scripts. Correlating these events allows detection in the initial stages—before the EDR is disabled. - Identifying and Blocking Evasive Techniques Before They Take Effect
Through continuous threat hunting, MDR actively searches for behaviors linked to known techniques, such as loading unauthorized or vulnerable drivers typical of BYOVD attacks. This approach intercepts the abuse of legitimate components before they are used to operate at the kernel level and disable endpoint defenses. - Applying and Maintaining Operational Mitigation Measures
MDR supports implementing and maintaining concrete security controls, such as application control policies, driver loading restrictions, and system hardening. These measures are not applied once but verified and adapted over time based on evolving threats. - Managing Incident Response in a Coordinated and Timely Manner
When an attack is underway or has bypassed detection, MDR provides a specialized team capable of rapid intervention. Activities include containing the compromised endpoint, assessing impact, halting lateral movement, and supporting recovery operations—reducing attacker dwell time within the infrastructure.
In Conclusion
EDR remains a critical component of endpoint security, but it is no longer sufficient as a standalone defense. BYOVD techniques demonstrate that attackers can directly target the kernel level and disable endpoint controls before the destructive phase of the attack.
In this scenario, MDR represents the necessary evolution: a model combining technology, processes, extended visibility, and human expertise to detect and counter attacks even when EDR is bypassed. For organizations, this is no longer an optional improvement but a fundamental requirement to face increasingly sophisticated threats.
