BYOVD (Vulnerable Driver) × Microsoft Windows Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2023-08-16

Config / version noted

Not stated

Provenance

jmp-esp.org
disclosed 2025-06-03 · original source · via exa
www.levelblue.com
disclosed 2023-08-16 · original source · via exa
www.levelblue.com
disclosed 2023-08-16 · original source · via raw

Reported as

AuKill leverages the vulnerable signed driver PROCEXP.SYS via BYOVD... to terminate protected EDR processes that cannot be killed by user-level processes.

Mechanism

AuKill leverages the vulnerable signed driver PROCEXP.SYS via BYOVD. It adjusts token privileges, ensures SYSTEM integrity, and sends private IOCTL codes through DeviceIoControl to terminate protected EDR processes that cannot be killed by user-level processes.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., PROCEXP.SYS) via Sysmon Event ID 6 (driver load) or EDR telemetry, and blocklist these drivers using Windows Defender Application Control (WDAC) or vulnerable driver blocklist policies.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.