BYOVD Technique Enables Attackers to Disable Security Tools

BYOVD Technique Enables Attackers to Disable Security Tools

First seen 1 Jul 2026, 12:12 UTC SecurityCybersecuritynews 81% similarity 66.5
Share:

Article Content

Browse articles
ThreatCluster

Attackers are increasingly using the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus (AV) and endpoint detection and response (EDR) tools. This method exploits flaws in trusted Windows drivers, allowing attackers to operate at the highest privilege level within the Windows kernel. Hundreds of vulnerable drivers are in circulation, with new ones being discovered regularly. The technique has become a standard part of modern ransomware campaigns, enabling attackers to blind or cripple security software. The Symantec Threat Hunter Team's whitepaper highlights the ineffectiveness of Microsoft's kernel hardening against these attacks. Attackers can either kill security processes or strip them of necessary rights, leaving systems vulnerable. The BYOVD technique has been bundled into ransomware-as-a-service (RaaS) offerings, increasing its accessibility for cybercriminals.

Key Points: • BYOVD exploits trusted Windows drivers to disable security tools. • Hundreds of vulnerable drivers are actively used in ransomware campaigns. • Microsoft's kernel hardening measures are insufficient against BYOVD attacks.

ThreatCluster AI

Timeline

2026-06-30
Symantec releases whitepaper on defense evasion
The Symantec Threat Hunter Team published a whitepaper detailing the BYOVD technique and its implications for security.
Security
Recent
BYOVD technique identified as a growing threat
The BYOVD technique has rapidly become standard in ransomware campaigns, allowing attackers to disable AV and EDR tools.
Cybersecuritynews

Community

Browse all →