BYOVD (Vulnerable Driver) × SentinelOne EDR

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing SentinelOne EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne EDR

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-03-26

Config / version noted

Not stated

Provenance

labs.cloudsecurityalliance.org
disclosed 2026-03-26 · original source · via exa
www.zerosday.com
disclosed 2026-03-24 · original source · via raw

Reported as

terminate 23 security products from ring-0, bypassing user-mode protections

Mechanism

Attackers load the vulnerable signed Huawei driver HWAuidoOs2Ec.sys via BYOVD. By sending a target process ID through a privileged IOCTL handler, the driver calls ZwTerminateProcess from kernel mode, bypassing user-mode EDR protections including Protected Process Light (PPL). It polls for targeted security processes every 100ms and terminates them.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., HWAuidoOs2Ec.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and alert on their presence especially when not part of standard system images. Mitigate by blocking the vulnerable driver's hash or certificate via Windows Defender Application Control (WDAC) or vulnerable driver blocklist, and ensure endpoint protection solutions are configured to prevent loading of untrusted drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.