Zero Day EDR Exploit Analysis

Zero Day EDR Exploit Analysis

This report examines a new zero‑day vulnerability exploited by the ransomware group The Gentlemen to disable endpoint detection and response (EDR) tools on victim systems. Published by Expel on 2026-07-02, the analysis covers the actor’s tactics, the underlying driver flaw, the chain of exploitation steps, how the threat bypasses kernel protections, and actionable mitigations for defenders.

Threat Actor Overview

The Gentlemen first emerged in July 2025. Their operations focus on ransomware delivery but they rely heavily on disabling security controls before executing payloads. Expel’s investigation revealed that during an early‑April incident the group weaponised a previously unknown vulnerability in the Kontron Technical Application Programming Interface driver ktapi.sys to kill EDR processes.

Vulnerable Driver: ktapi.sys

The driver is delivered by Kontron as part of a legacy system interface. It exposes three IOCTL codes for memory‑mapped I/O, unmapping, and port I/O. The flaw lies in how the driver handles HalTranslateBusAddress; when called with arbitrary addresses it simply returns the requested address without validation. Attackers can therefore map any physical memory into user space.

Exploit Chain Overview

The attacker follows a carefully orchestrated chain:

  1. Map large chunks of physical RAM and scan for PML4 tables to locate their own process’s page table.
  2. Translate a known virtual address (0xdeadbeefcafebabe) into physical memory using the discovered PML4, confirming mapping success.
  3. Use the mapped physical pages to read kernel memory and locate the function nt!MiSetPfnLink via signature search on a disk copy of ntoskrnl.exe.
  4. Redirect two Win32k syscalls—NtUserFrostCrashedWindow and NtUserSetGestureConfig—to pointers that allow arbitrary kernel writes without triggering PatchGuard, SMAP or SMEP.
  5. Deploy a universal KernelCall helper that writes to the shared KUSER_SHARED_DATA page, enabling kernel‑mode privilege escalation from user mode.

With this capability the exploit can call PsLookupProcessByProcessId, ObDereferenceObject and PsTerminateProcess for any PID, effectively killing protected EDR processes such as MsMpEng.exe, SentinelAgentWorker.exe, CortexXdrPayload.exe, and others listed in the report.

Mitigations and Recommendations

  • Enable Core Isolation/Virtualization‑Based Security (VBS): This introduces a hypervisor layer that protects kernel memory from arbitrary writes. The Memory Integrity toggle also activates Kernel Control Flow Guard, blocking non‑authorized shellcode execution.
  • Activate the vulnerable driver blocklist: Even though ktapi.sys is legacy and would be blocked by newer Windows builds with cross‑signing disabled, keeping the list up‑to‑date ensures legacy drivers are prevented from loading.
  • Deploy Windows Defender Application Control (WDAC): With a well‑configured allowlist for kernel drivers—by name, hash or publisher—only trusted binaries can load. Learning mode helps maintain functionality while blocking unknown drivers.
  • : For legacy systems that cannot enable VBS or WDAC, include file‑name and SHA‐256 detection signatures in endpoint security products to flag loader activity.

Indicators of Compromise (IOCs)

Name ktapi.sys
Description Vulnerable driver used in BYOVD attacks
SHA‑256 7ee17efef04bb7c9de90d5210263ed6993f867e5a11f86e65e3bb1362c7de237
Exploit Binary was.exe
SHA‑256 c277ae5a4dd62f51de5278790796cd2700de7f77ea17762e97729f27872d076b

Reference Links (Sanitized)

BYOVD attacks continue to pose an existential threat to endpoint security. Even with the latest Windows mitigations, attackers can still achieve kernel‑level privilege escalation in seconds. Continuous monitoring for driver loading events, enforcing strict application allowlists, and maintaining updated vulnerability blocklists remain critical defenses.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading