Understanding BYOVD Attacks and Mitigation Strategies

In recent years, the cybersecurity community has observed a notable increase in attacks leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique. This method involves threat actors introducing legitimate, signed drivers with known vulnerabilities into target systems to gain unauthorized kernel-level access.  

Threat actors have long favored vulnerable drivers for bypassing security controls to create a shell, execute malware, and establish persistence. The reason is simple: the drivers are signed with a valid Microsoft certificate and run with kernel-level privileges. Translation: they are challenging to detect.

BYOVD Background

In computer systems, a driver is a specialized software component that facilitates communication between the operating system and hardware devices. Drivers possess high privileges at the kernel level, enabling them to perform critical system functions. This privileged position makes them attractive targets for attackers, especially when vulnerabilities are present.

The BYOVD attack vector capitalizes on the inherent trust operating systems place in digitally signed drivers. When a driver is signed, it signifies that it has been verified and is trusted by the system, allowing it to operate with elevated privileges. However, if such a driver contains vulnerabilities, attackers can exploit this trust to perform malicious actions without detection.

Once an attacker has kernel-level access, they can perform all kinds of actions, including launching malware disguised as a legitimate DLL through legitimate Windows Defender binaries. By exploiting these vulnerabilities, attackers can bypass traditional security measures and execute malicious activities with elevated privileges. But BYOVD exploits, which leverage flaws in vulnerable drivers to execute code with kernel-level privileges that can bypass security software, are nothing new.

BYOVD Attack Examples

One of the earliest documented instances of a BYOVD attack occurred in 2019, involving the RobbinHood ransomware. In this case, attackers utilized a vulnerable driver from Gigabyte, identified as gdrv.sys, which was known to have a privilege escalation vulnerability (CVE-2018-19320). By exploiting this vulnerability, the attackers could disable security mechanisms and deploy ransomware payloads, leading to significant disruptions.  

The North Korean APT Lazarus Group was observed leveraging vulnerable drivers in 2021 to blind security tools, and more recently, the Cuba and D0nut ransomware gangs were found using vulnerable drivers to kill processes associated with security tools and capitalize on kernel-level access to escalate privileges for other actions.  

In 2023, a threat actor with the handle Spyboy introduced a BYOVD attack tool dubbed Terminator that could bypass almost every AV/EDR/XDR solution. The tool was made available on Russian cybercrime forums for as little as $300 and caused a lot of worry at the time.  

In another notable case, the Scattered Spider group employed BYOVD techniques to compromise systems. They exploited a vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys), specifically CVE-2015-2291. By leveraging this outdated yet signed driver, the attackers achieved kernel-level execution, allowing them to disable security tools and maintain persistent access within the compromised environment.

Similarly, the BlackByte ransomware group has been observed utilizing BYOVD tactics. In their attacks, they exploited a vulnerability in a legitimate Windows driver to bypass security solutions. This approach involved disabling a list of over 1,000 drivers relied upon by security products for protection, thereby facilitating the deployment of their ransomware.

More recently, we have seen an increase in ransomware threat actors employing BYOVD techniques:

• Rise in BYOVD Attacks: In the second quarter of 2024, researchers observed a nearly 23% increase in BYOVD attacks compared to the first quarter.  

• Ransomware and BYOVD: Researchers estimate approximately 25% of ransomware attacks in 2024 incorporated BYOVD methods to disable Endpoint Detection and Response (EDR) systems and escalate privileges.  

• Emergence of EDR-Killing Tools: The RansomHub ransomware group introduced the "EDRKillShifter" tool, which is designed to load vulnerable drivers and exploit them to disable endpoint protection software.  

• Prevalence of Vulnerable Drivers: Research indicates a significant number of known that make them susceptible to exploitation.  

• Exploitation of Legitimate Drivers:  

• In February 2025, researchers noted a Qilin BYOVD campaign that evades traditional EDR while maintaining a low profile and limiting the noise created by these activities.

• A November 2024 report highlighted a malicious BYOVD campaign where attackers dropped a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulated it to terminate security processes, disable protective software, and gain control over infected systems.

The effectiveness of BYOVD attacks lies in their ability to exploit the trust model inherent in operating systems. Since the drivers used are legitimate and signed, they are often whitelisted by security solutions, allowing malicious activities to proceed undetected. This trust exploitation poses a significant challenge for defenders, as traditional security measures may not flag these drivers as malicious.

Mitigating BYOVD Risks

To mitigate the risks associated with BYOVD attacks, organizations must adopt a comprehensive and proactive security strategy. Regularly updating and patching drivers is essential to promptly address known vulnerabilities.  

Implementing driver whitelisting can further enhance security by ensuring that only approved drivers can operate within the environment. Restricting administrative privileges to trusted personnel minimizes the risk of unauthorized driver installations while monitoring driver activities can help detect and respond to suspicious behavior.

Educating users about the dangers of installing unauthorized drivers and maintaining a robust security posture through regular audits and penetration testing are also crucial components of an effective defense strategy.  

Deploying advanced EDR solutions capable of monitoring kernel-level activities adds an additional layer of defense. Features like Hypervisor-Protected Code Integrity (HVCI) can prevent the execution of malicious code at the kernel level, bolstering system integrity.  

Leading EDR solutions will tout their ability to hunt for, detect, and remove vulnerable drivers through various means. This includes using custom rules to detect artifacts associated with known samples of malicious drivers or when they are written to disk based on the MD5 value. They can also perform hash searches based on a list of known vulnerable driver hashes. But this is all very time-consuming and unnecessary.

EDR/XDR solutions are not responsible for enforcing secure coding practices. They are essential for detecting and responding to security incidents, including potential bypass attempts. Their effectiveness in this role depends on how they are integrated into a comprehensive security strategy.

It's beneficial that Microsoft offers a simpler and more effective method to defend against exploiting vulnerable drivers with kernel-level privileges, even if this solution doesn't receive much media attention.

Microsoft has implemented a Vulnerable Driver Blocklist to mitigate the risks associated with BYOVD attacks. This blocklist is designed to prevent drivers with known vulnerabilities from being loaded into the Windows kernel, thereby reducing the attack surface available to malicious actors.  

It's important to note that while the blocklist enhances security, it may also impact the functionality of specific devices or software that rely on blocked drivers. Therefore, organizations should thoroughly test the blocklist in their environments to ensure compatibility and balance security and operational needs.  

Halcyon Kernel Guard Protects Against BYOVD Attacks

With the introduction of Kernel Guard, Halcyon now provides robust protection against BYOVD attacks by leveraging a multi-layered approach that includes real-time detection, continuous intelligence updates, and proactive alerting mechanisms.

Proactive Detection and Alerts: Halcyon maintains a comprehensive, up-to-date catalog of known vulnerable drivers. When a driver that matches Halcyon’s intelligence on vulnerable drivers attempts to load, an alert is immediately triggered. This proactive approach ensures that security teams can swiftly respond to potential BYOVD exploitation before an attacker fully controls a system.

Limitations of Traditional Driver Blocklists: While Microsoft maintains a vulnerable driver blocklist, it is updated only 1-2 times per year, covering only around 5% of the drivers that Halcyon monitors. Moreover, organizations often struggle to determine whether the blocklist is fully enabled across their fleet. This limitation underscores the need for a more dynamic solution like Halcyon, which provides real-time monitoring and alerts, filling the gaps left by traditional blocklist mechanisms.

Specialized Ransomware Defense and Agility: Unlike generalized security solutions, Halcyon specializes in ransomware protection, ensuring agility in detecting emerging attack techniques. The company actively monitors penetration testing tools and projects on GitHub, where adversaries develop and refine EDR Killer variants that leverage BYOVD techniques. Since Halcyon has encountered EDR Killer usage in proof-of-concept (POC) testing, the platform is continuously enhancing its defenses to counter such sophisticated threats effectively.

Correlation and Monitoring with CrowdStrike: Halcyon also integrates with security intelligence platforms like CrowdStrike’s Falcon Overwatch, which monitors and correlates data to detect BYOVD attacks. While this correlation provides valuable forensic insights, it is not a fully proactive defense mechanism. Halcyon complements this capability by offering real-time alerts and detection to mitigate threats before they escalate.

DXP-Based Data Protection: Halcyon extends its protection beyond BYOVD detection with Halcyon DXP (Data Exfiltration Protection) to detect unauthorized data transfers:

• Halcyon DXP Upload Threshold Exceeded Events: These alerts indicate potential data exfiltration attempts when upload volumes surpass predefined thresholds.

• Halcyon DXP Nefarious Data Transfer Volume Alerts: If a high-risk data transfer is detected, Halcyon generates alerts to notify security teams of possible ransomware-related activity.

• Halcyon DXP Nefarious Peer Alerts: When multiple endpoints interact with malicious internet destinations, a single consolidated alert is triggered, preventing alert fatigue while maintaining high visibility.

• Halcyon DXP Overrides: Admin users can override DXP-based alerts directly from the Halcyon console, allowing flexibility in managing alerts while ensuring security policies remain effective.

Takeaway

BYOVD attacks represent a significant threat to system security because they exploit trusted, signed drivers. By combining an up-to-date vulnerable driver intelligence system, proactive alerting, ransomware-specialized agility, and integration with security platforms like CrowdStrike, Halcyon provides a more dynamic and effective defense against BYOVD attacks. With additional Halcyon DXP-based Data Exfiltration Protection mechanisms, organizations gain comprehensive security against endpoint exploits and data exfiltration threats.

To learn more about how Halcyon can help your organization defend against BYOVD attacks, reach out to a Halcyon to schedule a demo today.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.