Hackers Exploit Raw Disk Reads to Steal Senitive Files, Bypass EDR

Cybersecurity researchers from Workday’s Offensive Security team have uncovered a stealthy new technique that allows attackers to bypass Endpoint Detection and Response (EDR) systems by performing raw disk reads on Windows devices. This method renders traditional defenses blind to credential theft and system compromise.

How the EDR Attack Works—And Why It Evades Detection

Instead of triggering standard API calls monitored by EDR tools (like opening a file by name), attackers read disk sectors directly via low-level drivers.

EDRs typically don’t flag such operations, since they appear as harmless sector reads. Once attackers capture data, they reconstruct files, such as SAM.hive or NTDS.dit, by parsing NTFS structures, starting from the Master Boot Record and navigating through the Master File Table.

Workday demonstrated this technique using a vulnerable driver (CVE-2025-50892), though elevated privileges and standardized Windows drivers like disk.sys or storport.sys already offer similar sector-level access.

Why EDR Exploit Matters for Enterprise Security

This raw disk read attack sidesteps common security controls:

• File access logging and audit alerts don’t capture sector-level reads.
• Access control lists, exclusive file locks, and virtualization-based protections are all bypassed.
• Attackers gain access without leaving forensic logs or triggering alarms.

What Defenders Should Do Now

Workday’s experts urge a defense-in-depth strategy to close this blind spot:

• Enable full disk encryption (like BitLocker) to make raw data unreadable without keys.
• Restrict administrative privileges and limit driver installation to trusted sources.
• Harden driver control: block vulnerable or unsigned drivers and test with Driver Verifier.
• Monitor raw disk I/O using tools like Sysmon (Event ID 9) with fine-grained filters.
• Expand EDR to support kernel-level monitoring and update incident plans accordingly.

As attackers operate increasingly outside the visibility of especially file-based EDR tools, organizations must evolve their defensive strategies beyond standard approaches. Implementing multiple layers of protection is essential to stay ahead in the cybersecurity arms race.