BYOVD (Vulnerable Driver) × Microsoft Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-06-27

Config / version noted

Not stated

Provenance

infosecwriteups.com
disclosed 2024-06-27 · original source · via exa

Reported as

tested against Microsoft Defender and Elastic EDR, allowing execution of tools like Mimikatz without detection

Mechanism

A custom kernel-mode minifilter driver registers a preoperation callback that intercepts file I/O operations. The callback checks if the file path matches a list of EDR-related files and returns STATUS_ACCESS_DENIED, preventing the EDR from accessing its own components and thus stopping its processes from running.

Detection & mitigation

Monitor for the loading of unexpected or newly signed minifilter drivers via Event ID 6 (driver load) and 11 (minifilter registration) in the Microsoft-Windows-FilterManager operational log. Correlate with Sysmon Event ID 7 (image load) for unsigned or unusual driver loads, and enforce driver signing policies with WDAC to block unapproved drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.