Security alert enrichment: Terminator endpoint defense evasion tool

CrowdStrike has shared a situational awareness alert on Reddit that details the emergence of a new endpoint defense evasion tool called “Terminator.” The relevant details of this threat alert have been included below:

“On May 21, 2023, an online persona named spyboy began advertising an endpoint defense evasion tool for the Windows operating system via the Russian-language forum Ramp. The author claims that the software — seen in a demonstration video as being titled “Terminator” — can bypass twenty three (23) EDR and AV controls. At time of writing, spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).

At time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters. An example of this driver file can be found on VirusTotal here.

This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years.

Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.

Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software.

…As the Zemana Anti-Malware driver is not overly common, it becomes a good target for hunting. Please note: the presence of the Zemana Anti-Malware driver in your environment is not necessarily indicative of the presence of the spyboy defense evasion tool, rather, it is a point of investigation to determine if the use of the driver is legitimate.”

What this means

This activity is part of a larger trend of threat actors abusing vulnerable signed drivers by software vendors for evading security controls, and is commonly referred to as “bring your own vulnerable driver.” A version of this particular driver has already been detailed by the LOLDrivers project, which attempts to catalog known vulnerable drivers that can be abused.

EDR bypasses aren’t new, and we expect to see their rise in use continue. It’s increasingly crucial to establish multiple layers of defense to promptly detect any malicious activities targeting your organization.

At a minimum, it’s advisable to incorporate detection technologies, retain valuable source logs such as DNS and proxy data for at least one year, and have immediate – and automatic – capabilities to detect and respond to advanced threats like EDR bypasses or supply chain attacks.

Alert enrichment

Stairwell has already deployed detections for all customers on the Stairwell platform, searching through environments for the original file outlined in the CrowdStrike report. The Stairwell platform’s AI-powered variant discovery has also identified 8 potential variants of the original file among the more than 500 million unique files in our corpus. The Stairwell threat research team is currently investigating the following:









In the event that any Stairwell customers are affected, they will immediately receive notifications regarding the presence of any relevant indicators of compromise (IOCs) that are currently in their environment – or have ever been since becoming a Stairwell user – so that they can quickly locate, remediate, and better understand the impact without needing to wait for hours, days, or weeks.

Public YARA rules

rule Stairwell_Spyboy_Terminator_Zemana_Driver_01 {


    author = "Daniel Mayer ([email protected])"

    description = "Detects the vulnerable Zemana driver used by the Terminator EDR killer"

    SHA256_1 = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"

    version = "1.0"

    date = "2023-05-31"


    // pool creation in IOCTL 0x80002040

    $pool_creation = {

        BA 34 08 00 00    // mov     edx, 834h ; Number of Bytes

        [1-4]             // <set pool type to unpaged pool>

        41 B8 5A 4D 4E 41 // mov     r8d, 414E4D5Ah  ; Pool tag of 'ANMZ'

        FF                // call    <ExAllocatePoolWithTag> 


    $debug1 = "Calling Driver Object 0x%I64x Scsi Dispatc"

    $debug2 = "Can not allocate unicode string for key path"


    all of them

rule Stairwell_Spyboy_Terminator_Zemana_Driver_02 {


    author = "Chris St. Myers ([email protected] )"

    description = "Detects the PDB path and Certificate of the vulnerable Zemana driver used by the Terminator EDR killer"

    SHA256_1 = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"

    version = "1.0"

    date = "2023-05-31"


    $cert = {02 10 23 0F D3 64 B4 69 09 1B 8A 44 40 14 5E 18}

    $pdb_64 = "AntiMalware\\bin\\zam64.pdb"

    $pdb_64_2 = "AMSDKCore\\Driver\\zam64.pdb"

    $pdb_32 = "AntiMalware\\bin\\zam32.pdb"


    int16(uint32(60) + 92) == 1 and any of ($pdb_*) and $cert

Stairwell in 30 seconds
Stairwell in 30 seconds
Stairwell in 30 seconds
See the power of the Stairwell platform in 30 seconds.