BYOVD (Vulnerable Driver) × Microsoft WatchDog Antimalware driver

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft WatchDog Antimalware driver, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft WatchDog Antimalware driver

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2025-08-28

Config / version noted

Not stated

Provenance

radar.offseq.com
disclosed 2025-08-28 · original source · via raw

Reported as

exploiting a previously unknown vulnerable Microsoft-signed WatchDog Antimalware driver to terminate protected endpoint processes

Mechanism

The attackers leverage a vulnerable Microsoft-signed WatchDog Antimalware driver (BYOVD) to gain kernel-level access and terminate protected processes, including those of EDR/AV solutions. A dual-driver approach ensures compatibility across Windows versions. After vendor patching, the attackers modified the driver to evade blocklists while retaining its valid signature, allowing continued abuse.

Detection & mitigation

Monitor for unexpected driver loads (Sysmon Event ID 6) and process termination events targeting security products. Enforce strict driver signing policies via WDAC to block unapproved drivers even if signed, and hunt for anomalies in kernel-level behavior.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.