Index / BYOVD (Vulnerable Driver) / Microsoft
Bypass Record

BYOVD (Vulnerable Driver) × Microsoft Windows

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
Microsoft Windows
Technique
BYOVD (Vulnerable Driver)
MITRE ATT&CK
T1562.001
Confidence
High
Severity
Critical
Status
in the wild
Disclosed
2026-05-03
Config / version noted
Not stated

Provenance

Reported as

bypass Protected Process Light (PPL) to terminate security processes

Mechanism

Attackers gain initial access, then use DLL sideloading to drop a malicious DLL that loads a vulnerable signed driver (e.g., rwdrv.sys). The driver provides kernel memory access, allowing the malware to zero out EDR callback registrations (PsSetCreateProcessNotifyRoutine, etc.) and bypass Protected Process Light (PPL) to terminate security processes. Ransomware then executes in a blind environment.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., rwdrv.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and correlate with unexpected process terminations of security products. Mitigation includes enforcing Microsoft's vulnerable driver blocklist (via WDAC or HVCI) and restricting driver loading to only trusted, signed drivers.

BYOVD (Vulnerable Driver) has also been recorded against

AvastBaiduBattlEyeBitdefenderCarbon BlackCortexCrowdStrikeCylanceEasy Anti-CheatEasyAntiCheatElasticFortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.