Full Report
Bring Your Own Vulnerable Driver (BYOVD) has gone from a niche tactic to a standard part of the ransomware playbook and Windows' own kernel hardening does little to stop it.
Analysis Summary
# Tool/Technique: Bring Your Own Vulnerable Driver (BYOVD)
## Overview
Bring Your Own Vulnerable Driver (BYOVD) is a defense evasion technique where an attacker, possessing administrator privileges, installs a legitimate but vulnerable third-party kernel driver on a target Windows system. By exploiting known flaws in these signed drivers, attackers execute malicious code at the kernel level (Ring 0). This allows them to bypass Windows kernel hardening, disable security software (AV/EDR), and operate with unrestricted system access.
## Technical Details
- **Type**: Technique (Defense Evasion / Privilege Escalation)
- **Platform**: Windows (Kernel Mode)
- **Capabilities**: Terminating protected processes, "blinding" EDRs by removing callbacks, stripping process handles, and bypassing Protected Process Light (PPL).
- **First Seen**: Historically niche; evolved into a commoditized "epidemic" in the ransomware landscape (c. 2021–2024).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1562.001 - Impair Defenses: Disable or Modify Tools**
- **TA0004 - Privilege Escalation**
- **T1068 - Exploitation for Privilege Escalation**
## Functionality
### Core Capabilities
- **Kernel Access**: Leverages the "trust" Windows grants to digitally signed drivers to load code into kernel space.
- **Security Software Termination**: Uses the driver to kill processes protected by Protected Process Light (PPL) that cannot be stopped by user-mode administrators.
- **Process Suspension**: Instead of killing, attackers suspend security processes to avoid triggering "restart logic" or watchdog services.
### Advanced Features
- **EDR Blinding**: Tampering with internal kernel records to remove notifications/callbacks, preventing security products from seeing system events.
- **Handle Stripping**: Removing the rights/access tokens from a security agent, leaving it running but incapable of performing its duties.
- **IOCTL Abuse**: Sending specific Input/Output Control commands to the driver to force it to perform privileged actions on behalf of the attacker.
## Indicators of Compromise
- **File Names**: `truesight.sys` (associated with TrueSightKiller), `PROCEXP152.sys` (outdated Process Explorer driver).
- **Behavioral Indicators**:
- Creation of a new service to load a known vulnerable driver.
- Unexpected IOCTL traffic aimed at process termination or callback removal.
- Administrative actions followed by the sudden cessation of security telemetry.
- Enumeration of running processes specifically targeting security software strings.
## Associated Threat Actors
- Various **Ransomware-as-a-Service (RaaS)** affiliates.
- **Poortry** developers (linked to "Burnt Cigar").
- Advanced Persistent Threat (APT) groups using these techniques for stealthy persistence.
## Attack Tools and Frameworks
- **TrueSightKiller**: Publicly available tool leveraging `truesight.sys`.
- **GhostDriver**: Publicly available tool for kernel-level process killing.
- **AuKill**: Abuses outdated Microsoft Process Explorer drivers.
- **Poortry / Burnt Cigar**: A malicious driver successfully signed with a legitimate certificate.
## Detection Methods
- **Behavioral Detection**: Monitoring for anomalous IOCTL commands (e.g., process termination requests) directed at security products regardless of which driver is used.
- **Signature-based**: Blocking known hashes of vulnerable drivers (though often bypassed by minor code changes or re-compilation in Rust/Go).
- **Service Monitoring**: Flagging the installation of non-standard drivers by administrative users.
## Mitigation Strategies
- **Driver Blocklisting**: Implement and update the Windows Driver Blocklist (HVCI/VBS).
- **Hardening**: Restrict Administrative privileges to prevent the installation of new services/drivers.
- **Behavioral EDR Settings**: Enable specific protections that monitor kernel callback tampering and handle stripping.
- **Audit Logs**: Monitor Event ID 7045 (Service Creation) for new driver installations.
## Related Tools/Techniques
- **Rootkits**: High-level persistence tools that also operate in kernel mode.
- **PPL-Killer**: Tools specifically designed to bypass Protected Process Light.
- **Driver Signature Enforcement (DSE) Bypasses**: Techniques used to load unsigned drivers (though BYOVD circumvents the need for this by using signed drivers).