BYOVD (Vulnerable Driver) × Microsoft Windows Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-01-18

Config / version noted

Not stated

Provenance

www.zerosalarium.com
disclosed 2025-01-18 · original source · via exa
cybersecuritynews.com
disclosed 2025-01-28 · original source · via exa
gbhackers.com
disclosed 2025-01-28 · original source · via raw

Reported as

proof-of-concept demonstrates disabling Microsoft Defender on Windows 11

Mechanism

The attacker loads a vulnerable driver that writes to a file during initialization. A symbolic link is created from the driver's output file path to the EDR service executable. By manipulating the service group load order via the ServiceGroupOrder registry key, the driver's service starts before the EDR service, causing the driver to overwrite the EDR executable with arbitrary data, preventing the EDR service from starting.

Detection & mitigation

Monitor for loading of known vulnerable drivers (e.g., via Sysmon Event ID 6 or driver blocklist enforcement) and creation of symbolic links targeting security product executables. Mitigate by enabling Microsoft's vulnerable driver blocklist, enforcing HVCI, and restricting write access to EDR service directories.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.