Full Report
A new analysis of endpoint detection and response (EDR) killers has revealed that 54 of them leverage a technique known as bring your own vulnerable driver (BYOVD) by abusing a total of 34 vulnerable drivers. EDR killer programs have been a common presence in ransomware intrusions as they offer a way for affiliates to neutralize security software before deploying file-encrypting malware. This
Analysis Summary
# Tool/Technique: Bring Your Own Vulnerable Driver (BYOVD) / EDR Killers
## Overview
EDR Killers are specialized tools used by threat actors to neutralize, disable, or bypass Endpoint Detection and Response (EDR) and antivirus software. The primary method used by these tools is **Bring Your Own Vulnerable Driver (BYOVD)**, which involves deploying a legitimate, digitally signed third-party driver that contains a known security flaw. This flaw is then exploited to gain kernel-mode (Ring 0) execution, allowing the attacker to tamper with security processes that are otherwise protected by the operating system.
## Technical Details
- **Type**: Technique (BYOVD) and Malware/Tool category (EDR Killers)
- **Platform**: Windows (primarily due to the driver signature enforcement model)
- **Capabilities**: Kernel privilege escalation, process termination, service deletion, tampering with kernel callbacks, and evasion of security monitoring.
- **First Seen**: Ongoing; reported in high volume as of March 2026 analysis.
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1027 - Obfuscated Files or Information]
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation]
- **[TA0001 - Persistence]**
- [T1543.003 - Create or Modify System Process: Windows Service]
## Functionality
### Core Capabilities
- **Kernel Access (Ring 0)**: Uses signed drivers to bypass Windows Driver Signature Enforcement (DSE).
- **Security Neutralization**: Terminates protected processes and stops services related to EDR and AV solutions.
- **Privilege Escalation**: Elevates the attacker's context from user-mode to kernel-mode.
### Advanced Features
- **Kernel Callback Tampering**: Modifies kernel-level notifications that EDRs use to monitor process creation and file operations.
- **Safe Mode Abuse**: Forcing a system reboot into Safe Mode to execute malicious code while security drivers are not loaded.
- **Driverless Silencing**: Using built-in Windows features (like Windows Filtering Platform) to block EDR communication with its cloud console (e.g., EDRSilencer).
## Indicators of Compromise
- **File Names**: SmilingKiller, TfSysMon-Killer, DemoKiller, ABYSSWORKER, CardSpaceKiller, EDRSilencer, EDR-Freeze.
- **Behavioral Indicators**:
- Loading of known vulnerable drivers (e.g., old versions of Capcom, Micro-Star, or Gigabyte drivers).
- Use of `taskkill`, `net stop`, or `sc delete` on security-related service names.
- Unexpected system reboots followed by administrative activity.
- Unauthorized modification of `HKLM\SYSTEM\CurrentControlSet\Services`.
## Associated Threat Actors
- **Ransomware Groups**: DeadLock, Warlock, Medusa.
- **RaaS Affiliates**: Various affiliates using toolkits like Shanya PaaS.
- **Malware Developers**: Developers of "SmilingKiller" and "CardSpaceKiller" sold on underground forums.
## Detection Methods
- **Signature-based detection**: Maintaining a blocklist of known vulnerable driver hashes (SHA256).
- **Behavioral detection**:
- Monitoring for `NtLoadDriver` or `ZwLoadDriver` calls originating from non-system processes.
- Detecting the unhooking of system APIs or modifications to kernel callbacks.
- **YARA rules**: Focus on identifying common BYOVD exploit patterns and the presence of embedded drivers within executables.
## Mitigation Strategies
- **Microsoft Vulnerable Driver Blocklist**: Enable and regularly update the Windows driver blocklist.
- **HVCI (Hypervisor-Protected Code Integrity)**: Enable Memory Integrity (HVCI) to prevent the execution of non-compliant or malicious code in the kernel.
- **Least Privilege**: Prevent local administrative accounts from being used by standard users, as admin rights are typically required to load a driver.
- **Driver Signing Policy**: Enforce strict driver signing requirements and audit the loading of any unsigned or "old" signed drivers.
## Related Tools/Techniques
- **Rootkits**: Conventional rootkits used for stealth.
- **Legitimate Admin Tools**: GMER, PC Hunter, and HRSword (abused for process termination).
- **EDRSilencer**: A driverless tool that uses the Windows Filtering Platform to "mute" EDR telemetry.