The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security

The BYOVD Epidemic: How Attackers Are Weaponizing Trusted Windows Drivers to Kill Security
Attackers are increasingly using Bring Your Own Vulnerable Driver (BYOVD) to abuse signed Windows drivers, gain kernel-level control, and disable AV or EDR defenses as part of modern ransomware intrusions. Symantec’s whitepaper explains how tools like TrueSightKiller, GhostDriver, AuKill, and Poortry exploit this tactic and why behavioral monitoring is more effective than blocklists or kernel hardening alone. #BringYourOwnVulnerableDriver #TrueSightKiller #GhostDriver #AuKill #Poortry #Symantec

Keypoints

  • BYOVD has become a dominant defense-evasion technique in advanced intrusions over the past three years.
  • Attackers abuse validly signed but vulnerable kernel drivers to reach Windows kernel mode and gain highest privilege.
  • The main goal is often to disable AV and EDR by killing processes, stripping rights, or blinding kernel notifications.
  • BYOVD tooling is widely available and often bundled with ransomware-as-a-service offerings.
  • Examples of BYOVD tools mentioned include TrueSightKiller, GhostDriver, AuKill, and Poortry.
  • Microsoft hardening features such as KASLR, HVCI, and KCFG help, but do not stop data-only BYOVD attacks.
  • Behavioral detection of driver interaction and anomalous IOCTL traffic is presented as the most effective defense.

MITRE Techniques

  • [T1068 ] Exploitation for Privilege Escalation – Attackers abuse flaws in validly signed drivers to gain kernel-level control and higher privileges (‘abuse flaws in legitimate, validly signed kernel drivers to seize control of the Windows kernel itself’).
  • [T1562.001 ] Disable or Modify Tools – Attackers terminate, suspend, strip rights from, or blind AV/EDR products (‘kill the processes belonging to antivirus (AV) or endpoint detection and response (EDR) products’; ‘the attacker can suspend it’).
  • [T1014 ] Rootkit – Attackers use kernel-level manipulation and malicious drivers to hide or interfere with security tools (‘tamper directly with the kernel’s internal records so that the security product no longer receives notifications’).
  • [T1202 ] Indirect Command Execution – The malicious component sends crafted IOCTL commands to make the vulnerable driver perform privileged actions (‘sends the driver a specific input/output control (IOCTL) command instructing it to take a privileged action’).
  • [T1547.006 ] Kernel Modules and Extensions – Attackers load a vulnerable signed driver as a persistence/enabling mechanism for kernel-level actions (‘The attacker then sends the driver a specially crafted command’).
  • [T1562.008 ] Disable or Modify Cloud Logs – Attackers cut security products off from vendor cloud services used for reputation and prevalence checks (‘quietly cut the security product off from the vendor’s cloud services’).

Indicators of Compromise

  • [File names / driver names ] Vulnerable or malicious drivers used in BYOVD tooling – truesight.sys, poortry
  • [Tool names ] Publicly available process killers and BYOVD tools – TrueSightKiller, GhostDriver, AuKill
  • [Software / vendor names ] Security products and utilities referenced in the attack chain – Process Explorer, Symantec, Carbon Black Endpoint


Read more: https://www.security.com/threat-intelligence/byovd-vulnerable-drivers