BYOVD (Vulnerable Driver) × Microsoft Windows Driver Signature Enforcement

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Driver Signature Enforcement, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Driver Signature Enforcement

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-27

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-05-27 · original source · via exa

Reported as

bypass Driver Signature Enforcement (DSE) on Windows by exploiting the KsecDD kernel module... disabling DSE to load unsigned drivers

Mechanism

The tool sends a crafted 16-byte structure via IOCTL 0x39006f to KsecDD.sys, which calls KsecIoctlHandleFunctionReturn. This function invokes CallInProgressCompleted, executing a user-controlled gadget (mov [rcx], rdx) to write 0 to g_cioptions in kernel memory, disabling DSE. It requires lsass.exe to issue the IOCTL and uses hardcoded offsets for specific Windows builds.

Detection & mitigation

Monitor for IOCTL 0x39006f sent to KsecDD.sys from unexpected processes (e.g., not lsass.exe) or with anomalous parameters; enforce driver blocklist (e.g., WDAC) and enable Secure Boot to prevent loading of unsigned drivers.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.