Attackers Exploit Trusted Windows Drivers to Disable Security Tools

Cybercriminals are increasingly leveraging a technique known as Bring Your Own Vulnerable Driver (BYOVD) to disable antivirus (AV) and endpoint detection and response (EDR) systems. This method involves exploiting legitimate, digitally signed Windows drivers that contain known vulnerabilities, allowing attackers to operate with elevated privileges and neutralize security defenses.

In a BYOVD attack, an adversary introduces a trusted but flawed driver into the target system. By exploiting the driver’s vulnerabilities, they can execute code at the kernel level, effectively terminating security processes or rendering them ineffective. This approach is particularly insidious because the operating system trusts these signed drivers, enabling them to bypass standard security checks.

Mechanics of BYOVD Attacks

Windows operates with two primary privilege levels: user mode and kernel mode. User mode restricts applications, while kernel mode grants near-complete control over the system. By exploiting a vulnerable driver, attackers can escalate their privileges to kernel mode, allowing them to disable or manipulate security tools without detection.

For instance, after gaining administrative access, an attacker can install a signed but vulnerable driver and send it crafted commands to exploit its weaknesses. This can result in the termination of AV or EDR processes, effectively blinding the system’s defenses. In some cases, attackers may degrade security tools by modifying kernel structures or stripping permissions, causing monitoring systems to stop receiving alerts while appearing operational.

Proliferation and Accessibility of BYOVD

The BYOVD technique has become increasingly accessible to cybercriminals. Numerous vulnerable drivers are publicly documented, and new ones continue to emerge. Open-source and underground tools such as TrueSightKiller, GhostDriver, and AuKill automate the process of exploiting these drivers to disable security processes. Some ransomware groups have even integrated BYOVD capabilities directly into their payloads, reducing the need for separate tools.

While BYOVD is a dominant method, attackers also employ alternative techniques. For example, they may suspend protected processes instead of terminating them, causing security tools to stop functioning while appearing to run normally. Additionally, attackers can exploit Windows trust hierarchies to manipulate or terminate lower-trust security services or disrupt communication between endpoint agents and cloud-based intelligence services, weakening detection capabilities without altering the local agent.

Microsoft has introduced several kernel hardening features, including Kernel Address Space Layout Randomization (KASLR), Hypervisor-Protected Code Integrity (HVCI), and Kernel Control Flow Guard (KCFG). While these measures mitigate certain attack vectors, they do not effectively prevent BYOVD attacks. This is because attackers are not injecting new kernel code but rather exploiting existing, trusted drivers.

The increasing prevalence of BYOVD attacks underscores the need for organizations to adopt comprehensive security strategies. Relying solely on traditional AV and EDR solutions is insufficient. Implementing robust monitoring systems, regularly updating and patching software, and employing advanced threat detection mechanisms are essential steps in defending against these sophisticated attack techniques.