In this talk, Andrew Brandt and Andreas Klopsch discuss a disturbing trend observed in 2021 where ransomware attackers began deploying legitimately signed Windows drivers to subvert Endpoint Detection and Response (EDR) software agents. They categorize these drivers into three types: outdated signed drivers, malicious drivers signed with stolen or expired certificates, and malicious drivers legitimately signed by Microsoft’s Windows Hardware Quality Labs (WHQL). They share their journey of reporting the issue to Microsoft and the shocking revelation of the problem’s extent. They discuss how attackers compromised the WHQL process and discuss potential solutions.