BYOVD (Vulnerable Driver) × Zemana AntiLogger v2.74.204.664

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Zemana AntiLogger v2.74.204.664, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Zemana AntiLogger v2.74.204.664

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-03-14

Config / version noted

Not stated

Provenance

www.sentinelone.com
disclosed 2024-03-14 · original source · via exa

Reported as

CVE-2024-1853 is a denial-of-service vulnerability in Zemana AntiLogger v2.74.204.664... allowing a local low-privilege attacker to terminate arbitrary processes

Mechanism

The kernel drivers fail to verify caller privileges or target process ownership when handling IOCTL 0x80002048. A local attacker opens a handle to the driver and sends a request specifying a target process ID, causing the driver to terminate that process without authorization checks.

Detection & mitigation

Monitor for loading of known vulnerable drivers (e.g., zam64.sys, zamguard64.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and block their execution using WDAC or driver block rules. Investigate any unexpected process termination events (Windows Event ID 4689) correlated with driver load events.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.