BYOVD (Vulnerable Driver) × Microsoft Windows Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-11-10

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-11-10 · original source · via exa

Reported as

enables unsigned driver loading via DSE bypass

Mechanism

KVC operates in kernel mode to patch g_CiOptions or hijack skci.dll to disable Driver Signature Enforcement (DSE), allowing unsigned driver loading. It also manipulates Protected Process Light (PP/PPL) levels to access protected processes like LSASS for memory dumping, bypassing user-mode restrictions and HVCI/VBS.

Detection & mitigation

Monitor for loading of unsigned or newly seen kernel drivers via Windows Event ID 7045 (new service) and Sysmon Event ID 6 (driver loaded). Enforce driver blocklist policies (e.g., WDAC) and enable HVCI/VBS with secure boot to prevent DSE bypass.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.