BYOVD (Vulnerable Driver) × Microsoft Defender for Endpoint

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2025-05-30

Config / version noted

Not stated

Provenance

threatlabsnews.xcitium.com
disclosed 2025-05-30 · original source · via raw

Reported as

Microsoft Defender for Endpoint ... in the lowest tier

Mechanism

Conti operators evaluate EDR products based on their experiences bypassing or disabling them during breaches. They use techniques such as abusing vulnerable kernel drivers to terminate EDR processes (e.g., with tools like EDRKillShifter) before deploying ransomware. The tier list reflects which products are most frequently and easily evaded, often due to default configurations or known weaknesses.

Detection & mitigation

Monitor for suspicious driver loads (e.g., vulnerable signed drivers) and unexpected termination of EDR processes. Ensure EDR agents are configured with tamper protection enabled and all advanced features turned on; regularly audit agent health and configuration drift.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.