BYOVD (Vulnerable Driver) × Microsoft Windows Driver Signature Enforcement

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Driver Signature Enforcement, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Driver Signature Enforcement

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-04-05

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-04-06 · original source · via exa
github.com
disclosed 2024-04-05 · original source · via exa

Reported as

disabling Windows Driver Signature Enforcement (DSE) and PatchGuard... analyzes PatchGuard's KiFilterFiberContext routine to understand debugger detection and potential evasion, aiming to disable kernel patch protection

Mechanism

BYOVD attack leveraging a vulnerable signed driver to overwrite kernel callbacks (SeCiCallbacks) used by Code Integrity for image validation, thereby bypassing DSE. Additionally, it analyzes PatchGuard's KiFilterFiberContext routine to understand debugger detection and potential evasion, aiming to disable kernel patch protection.

Detection & mitigation

Monitor for loading of known vulnerable drivers (e.g., via Sysmon Event ID 6 or 7) and correlate with unexpected kernel callback modifications. Mitigation: enforce driver blocklist policies (e.g., Windows Defender Application Control) and keep vulnerable driver blocklist updated.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.