BYOVD (Vulnerable Driver) × Microsoft Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2025-11-14

Config / version noted

Not stated

Provenance

gbhackers.com
disclosed 2025-11-14 · original source · via raw

Reported as

abuses signed kernel drivers to disable Microsoft Defender

Mechanism

RONINGLOADER uses a signed kernel driver (ollama.sys) to kill security processes via IOCTL, abuses Protected Process Light (PPL) to overwrite MsMpEng.exe with junk data, deploys custom WDAC policies to block specific security executables, and uses phantom DLL side-loading and thread pool injection for persistence and payload delivery.

Detection & mitigation

Monitor for loading of unusual signed kernel drivers, especially those with certificates from uncommon entities. Detect attempts to modify MsMpEng.exe or deploy custom WDAC policies. Use behavioral rules to identify process termination via kernel-mode IOCTL and block known malicious driver hashes.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.