BYOVD (Vulnerable Driver) × Elastic Defend

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Elastic Defend, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic Defend

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-11-21

Config / version noted

Not stated

Provenance

ashes-cybersecurity.com
disclosed 2025-11-21 · original source · via exa

Reported as

vulnerability in the Microsoft-signed elastic-endpoint-driver.sys allows a local attacker to trigger a NULL or invalid pointer dereference... causing a Blue Screen of Death (BSOD) and persistent denial of service

Mechanism

User-influenced data causes an unvalidated pointer to be passed to ExFreePoolWithTag in the driver, leading to a kernel crash. The attack requires a cooperating kernel driver to influence the pointer, which can be triggered repeatedly to cause BSODs on demand or during boot.

Detection & mitigation

Monitor for loading of known-vulnerable or unusual kernel drivers (e.g., via Sysmon Event ID 6 or driver load events) and correlate with subsequent system crashes (Event ID 41/1001). Blocklist vulnerable driver hashes or enforce driver signing policies to prevent BYOVD attacks.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Fortinet F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.