Security
BYOVD Technique Enables Attackers to Disable Security Tools
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Attackers are increasingly using the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus (AV) and endpoint detection and response (EDR) tools. This method exploits flaws in trusted Windows drivers, allowing attackers to operate at the highest privilege level within the Windows kernel. Hundreds of vulnerable drivers are in circulation, with new ones being discovered regularly. The technique has become a standard part of modern ransomware campaigns, enabling attackers to blind or cripple security software. The Symantec Threat Hunter Team's whitepaper highlights the ineffectiveness of Microsoft's kernel hardening against these attacks. Attackers can either kill security processes or strip them of necessary rights, leaving systems vulnerable. The BYOVD technique has been bundled into ransomware-as-a-service (RaaS) offerings, increasing its accessibility for cybercriminals.
Key Points: • BYOVD exploits trusted Windows drivers to disable security tools. • Hundreds of vulnerable drivers are actively used in ransomware campaigns. • Microsoft's kernel hardening measures are insufficient against BYOVD attacks.