In July 2023, our proactive behavior rules triggered on an attempt to load a driver named pskmad_64.sys (Panda Memory Access Driver) on a protected machine. The driver is owned by Panda Security and used in many of their products.
Due to the rise in legitimate driver abuse with the goal of disabling EDR products (an issue we examined in our piece on compromised Microsoft signed drivers several months ago), and the context in which that driver was loaded, we started to investigate and dove deeper into the file.
