In the ever-evolving landscape of cybersecurity, attackers continually develop methods to circumvent protective measures. A recent technique has emerged that enables malicious actors to access sensitive files on Windows systems by performing raw disk reads, effectively bypassing Endpoint Detection and Response (EDR) solutions and other security protocols.
Understanding the Technique
Traditional file access on Windows involves standard procedures monitored by security tools. However, this new method involves direct communication with low-level disk drivers, allowing attackers to read data from the physical disk without triggering typical security alerts. By accessing data at specific sector addresses rather than by file names, this approach evades detection mechanisms that monitor file access based on names.
For instance, instead of requesting access to a sensitive file like the Security Account Manager (SAM) hive, an attacker can request data from a particular sector on the disk. This sector-based access is less likely to raise red flags, as many security systems are configured to monitor file access by name rather than by disk sector.
Mechanics of the Attack
Once an attacker gains raw disk access, they can reconstruct target files by interpreting the NTFS file system structure. This process involves:
1. Master Boot Record (MBR): Identifying the disk partition.
2. Master File Table (MFT): Serving as a directory for the entire volume.
By reading the MFT, attackers can determine the exact physical location of any file’s data, read it in clusters, and reassemble it without officially opening the file through the operating system.
This method effectively bypasses file access controls, exclusive file locks, and advanced defenses like Virtualization-Based Security (VBS). Moreover, it leaves no trace in default system logs, making detection challenging.
Real-World Implications
The Workday Offensive Security team demonstrated this attack by exploiting a vulnerability (CVE-2025–50892) in a driver that improperly exposed raw read capabilities. However, they emphasized that any user with administrative privileges can perform this attack without needing a vulnerable driver, highlighting its relevance in various corporate environments.
Mitigation Strategies
Defending against such low-level attacks is challenging, as they bypass many security layers organizations rely upon. The following defense in depth strategies are recommended:
1. Full Disk Encryption: Utilizing tools like BitLocker renders raw disk data unreadable without the encryption key, significantly hindering this attack.
2. Restrict Privileges: Limiting administrative access reduces the likelihood of attackers interacting directly with disk drivers or installing malicious ones.
3. Monitor for Raw Access: Advanced monitoring tools like Microsoft’s Sysmon can detect raw disk read events (Event ID 9), though careful filtering is necessary to manage alerts effectively.
4. Driver Vetting: Actively monitoring for the installation of unsigned or known-vulnerable drivers using resources like Microsoft’s recommended driver blocklist can prevent exploitation.
Conclusion
While raw disk access is not a novel concept, its proven effectiveness against modern EDRs highlights a significant gap in security visibility. As sophisticated hacking techniques become more accessible, organizations must understand and defend against threats that operate below the surface of the typical operating system.
