BYOVD (Vulnerable Driver) × Microsoft Windows (certificate validation)

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows (certificate validation), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows (certificate validation)

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2025-03-16

Config / version noted

Not stated

Provenance

asec.ahnlab.com
disclosed 2025-03-16 · original source · via exa
research.checkpoint.com
disclosed 2025-02-24 · original source · via raw

Reported as

bypass Microsoft's Vulnerable Driver Blocklist and terminate security processes

Mechanism

Attackers modified the padding area of the WIN_CERTIFICATE structure in TrueSight.sys v2.0.2.0, which is exempt from Microsoft's blocklist due to its signing date before July 29, 2015. The padding is ignored during WinVerifyTrust validation, so the tampered driver retains a valid signature. The driver's vulnerability (arbitrary process termination) is then used to kill AV/EDR processes.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., TrueSight.sys v2.0.2.0) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and alert on unexpected process termination events targeting security products. Mitigate by enforcing Microsoft's vulnerable driver blocklist and using WDAC to block unapproved drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.