Bypass Record
BYOVD (Vulnerable Driver) × Elastic Defend
A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Elastic Defend, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
The vulnerability is a CWE-476 NULL pointer dereference in the kernel driver elastic-endpoint-driver.sys. A user-mode controllable pointer passed to a kernel function without proper validation can be null or corrupted, causing a system crash (BSOD) when dereferenced. The researcher demonstrated a four-step chain: EDR bypass via custom loader, remote code execution, persistence via custom kernel driver, and privileged denial of service by interacting with the vulnerable driver to trigger repeated crashes.
Detection & mitigation
Monitor for loading of unsigned or untrusted kernel drivers (e.g., via Sysmon Event ID 6, Windows Event ID 7045/4697, or EDR driver load events) and correlate with unexpected system crashes (BSOD). Enforce driver signing policies and application control (e.g., WDAC) to block unauthorized drivers, and ensure EDR agents are updated to patched versions.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.