BYOVD (Vulnerable Driver) × targeted EDR vendor EDR products

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing targeted EDR vendor EDR products, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

targeted EDR vendor EDR products

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

Critical

Status

in the wild

Disclosed

2024-09-13

Config / version noted

Not stated

Provenance

www.levelblue.com
disclosed 2024-09-13 · original source · via exa

Reported as

malicious driver ... terminates EDR processes

Mechanism

Attackers stop the Windows Time service, set the system clock to a date within the validity period of an expired cross-signing certificate (pre-July 2015), then load a malicious driver signed with that certificate. The driver runs with kernel privileges and terminates EDR processes.

Detection & mitigation

Monitor for unexpected changes to system time (Event ID 1 from Microsoft-Windows-Kernel-General or Event ID 4616) and the loading of drivers signed with expired certificates (Event ID 6 from Microsoft-Windows-Sysmon or 3004 from Microsoft-Windows-CodeIntegrity). Enforce driver signing policies that block expired certificates and restrict SeSystemtimePrivilege to authorized processes.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.