Hackers Leverage Raw Disk Reads to Bypass EDR Solutions and Access Highly Sensitive Files

Cybersecurity

A new technique has been identified that allows attackers to access sensitive files on Windows systems by bypassing modern security tools.

The method, detailed by Workday’s Offensive Security team, involves reading data directly from a computer’s raw disk. This approach circumvents Endpoint Detection and Response (EDR) solutions and file permissions, enabling the theft of credential files.

Instead of using standard file-access procedures monitored by security software, the attack communicates directly with low-level disk drivers. An attacker with administrator rights can utilize built-in Windows drivers, or a user with fewer privileges might exploit a vulnerable third-party driver to access raw data from a specific disk location.

This technique is stealthy because it does not target files by name, such as the SAM hive, but rather requests data from specific sector addresses. Many security systems, which monitor file access by name, are unable to detect this activity. The EDR solution might only see a request to “read sector 12345” rather than an attempt to “open the system’s password file.”

How the Attack Works

Once an attacker obtains raw disk data, they must parse it to reconstruct the target file. This involves interpreting the NTFS file system structure, starting from the Master Boot Record to locate the disk partition and then the Master File Table (MFT), which acts as a directory for the entire volume.

By reading the MFT, attackers can locate any file’s data, read it in clusters, and reassemble it without officially “opening” the file through the operating system. The Workday team demonstrated this attack using a vulnerability (CVE-2025–50892) in a driver that exposed this raw read capability. However, administrative privileges alone can facilitate this attack, posing a threat in many corporate environments.

Defending against such low-level attacks is challenging as they bypass traditional security layers. Researchers recommend a “defense in depth” strategy, including:

• Full Disk Encryption: Using tools like BitLocker makes raw data unreadable without the encryption key, impeding this attack.
• Restrict Privileges: Limiting administrative access reduces the risk of direct interaction with disk drivers or installation of malicious ones.
• Monitor for Raw Access: Advanced monitoring with tools like Microsoft’s Sysmon can detect raw disk read events (Event ID 9), though careful filtering is necessary to manage alerts.
• Driver Vetting: Actively monitor for the installation of unsigned or known-vulnerable drivers using resources like Microsoft’s recommended driver blocklist.

While raw disk access is not new, its effectiveness against modern EDRs highlights a significant gap in security visibility. As sophisticated hacking techniques become more accessible, organizations must understand and defend against threats operating below the typical operating system surface.