A new technique that allows attackers to read highly sensitive files on Windows systems, bypassing many of the modern security tools designed to prevent such breaches.<\/p>\n
A report from Workday\u2019s Offensive Security team explains how, by reading data directly from a computer\u2019s raw disk, a malicious actor can sidestep Endpoint Detection and Response (EDR)<\/a> solutions, file permissions, and other critical protections to steal credential files.<\/p>\n The method avoids standard file-access procedures that are typically monitored by security software. Instead of opening a file by name, the attack involves communicating directly with low-level disk drivers. <\/p>\n An attacker with administrator rights can use built-in Windows drivers, or a user with fewer privileges could exploit a vulnerable third-party driver, to request raw data from a specific location on the physical disk.<\/p>\n This approach is particularly stealthy because the attack never requests a sensitive file like the SAM hive by name. Instead, it asks for the data at a particular sector address. <\/p>\n This means many security systems, which look for malicious file access by name, are blind to the activity. The EDR solution<\/a> might see a request to \u201cread sector 12345\u201d instead of an alert-worthy attempt to \u201copen the system\u2019s password file.<\/p>\n \u201d This allows the technique to evade file access controls, exclusive file locks, and even advanced defenses like Virtualization-Based Security (VBS). Furthermore, it leaves no trace in the default system logs.<\/p>\n After an attacker obtains the raw disk data, they must parse it to reconstruct the target file. <\/p>\n This process involves interpreting the NTFS file system structure, starting from the Master Boot Record to find the disk partition, then locating the Master File Table (MFT), which serves as a directory for the entire volume. <\/p>\n By reading the MFT, the attacker can pinpoint the exact physical location of any file\u2019s data, read it in clusters, and reassemble it\u2014all without ever officially \u201copening\u201d the file through the operating system.<\/p>\n The Workday team demonstrated<\/a> this attack by leveraging a vulnerability (assigned CVE-2025\u201350892) in a driver that improperly exposed this raw read capability.<\/p>\n However, they emphasize that any user with administrative privileges can perform this attack without needing a vulnerable driver, making it a relevant threat in many corporate environments.<\/p>\n Protecting against such a low-level attack is challenging, as it bypasses security layers that many organizations depend on. The researchers recommend a \u201cdefense in depth\u201d strategy incorporating several measures:<\/p>\n The researchers conclude that while the concept of raw disk access is not new, its proven effectiveness against modern EDRs highlights a significant gap in security visibility. <\/p>\n As sophisticated hacking techniques<\/a> become more accessible, organizations must understand and defend against threats that operate below the surface of the typical operating system.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Hackers Leverage Raw Disk Reads to Bypass EDR Solutions and Access Highly Sensitive Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"raw](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgHa86K_EqGAh7qcmtg-BtlgjIhKfty80CgEzccAraOIs7qycLqyeJpdTCCzm1cJe24dSoWur_UbeM1aX_YTLdbXBnXle3z2HHhVVwu18hJDb0a6z8GgRx72CpcPypWoApsOFJuiRJUcPFsj9jYeBgRKr1D83k-m8mrQKD3c6N0axy2sugs_Bkj2bQ9NGeI\/s16000\/0_Y561jkASKVou0NKe.webp?ssl=1\")
How the Attack Works<\/strong><\/h2>\n
\n