Bypass Record
BYOVD (Vulnerable Driver) × Carbon Black Cloud Sensor
A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Carbon Black Cloud Sensor, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Attackers deploy a signed Carbon Black executable (upd.exe) that sideloads a malicious DLL (avupdate.dll). The DLL decodes and executes a customized EDRSandblast tool, which loads the vulnerable TPwSav.sys driver. The driver's IOCTL handlers allow arbitrary physical memory read/write, used to overwrite the BeepDeviceControl function in Beep.sys with shellcode. This shellcode provides unrestricted kernel memory access, enabling removal of EDR kernel callbacks and event tracing, effectively disabling EDR.
Detection & mitigation
Monitor for the loading of known vulnerable drivers (e.g., TPwSav.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and alert on their presence in non-standard paths or alongside suspicious process creation chains. Mitigate by blocking the hash or signature of vulnerable drivers using Windows Defender Application Control (WDAC) or driver block rules, and ensure EDR tamper protection is enabled to prevent kernel callback removal.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.