BYOVD (Vulnerable Driver) × BattlEye

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing BattlEye, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

BattlEye

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-07-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-07-24 · original source · via exa

Reported as

bypass ... BattlEye (BE)

Mechanism

Uses a kernel-mode driver to perform virtual memory read/write operations by directly manipulating the CR3 register, bypassing anti-cheat detection mechanisms that monitor user-mode memory access.

Detection & mitigation

Monitor for loading of unsigned or newly seen kernel drivers using driver load events (e.g., Sysmon Event ID 6, Windows Event ID 7045) and enforce driver signing policies. Block known vulnerable drivers and restrict kernel driver installation to authorized administrators only.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.