BYOVD (Bring Your Own Vulnerable Driver)
What is BYOVD (Bring Your Own Vulnerable Driver)?
BYOVD (Bring Your Own Vulnerable Driver)An attack technique where adversaries load a legitimately signed but vulnerable kernel driver, then exploit its flaw to gain kernel-level access and disable security tools.
Bring Your Own Vulnerable Driver (BYOVD) is a defense-evasion and privilege-escalation technique in which an attacker deploys a legitimately code-signed but vulnerable kernel-mode driver onto a target system and abuses its flaw to execute code or read and write memory in the kernel. Because the driver carries a valid digital signature, it loads even on systems enforcing driver signature enforcement, giving the adversary ring-0 privileges that user-mode controls cannot stop. From the kernel, attackers commonly terminate or blind endpoint protection, remove process protections, install rootkits, or tamper with logging. Defenses include Microsoft's vulnerable driver blocklist, Hypervisor-Protected Code Integrity (HVCI), and attack-surface-reduction rules; the community LOLDrivers project catalogs known-vulnerable drivers.
● Examples
- 01
The RobbinHood ransomware abused a vulnerable signed Gigabyte motherboard driver to disable antivirus before encrypting files.
- 02
Microsoft ships a recommended driver block list, and the LOLDrivers project catalogs signed drivers commonly exploited in BYOVD attacks.
● Frequently asked questions
What is BYOVD (Bring Your Own Vulnerable Driver)?
An attack technique where adversaries load a legitimately signed but vulnerable kernel driver, then exploit its flaw to gain kernel-level access and disable security tools. It belongs to the Attacks & Threats category of cybersecurity.
What does BYOVD (Bring Your Own Vulnerable Driver) mean?
An attack technique where adversaries load a legitimately signed but vulnerable kernel driver, then exploit its flaw to gain kernel-level access and disable security tools.
How does BYOVD (Bring Your Own Vulnerable Driver) work?
Bring Your Own Vulnerable Driver (BYOVD) is a defense-evasion and privilege-escalation technique in which an attacker deploys a legitimately code-signed but vulnerable kernel-mode driver onto a target system and abuses its flaw to execute code or read and write memory in the kernel. Because the driver carries a valid digital signature, it loads even on systems enforcing driver signature enforcement, giving the adversary ring-0 privileges that user-mode controls cannot stop. From the kernel, attackers commonly terminate or blind endpoint protection, remove process protections, install rootkits, or tamper with logging. Defenses include Microsoft's vulnerable driver blocklist, Hypervisor-Protected Code Integrity (HVCI), and attack-surface-reduction rules; the community LOLDrivers project catalogs known-vulnerable drivers.
How do you defend against BYOVD (Bring Your Own Vulnerable Driver)?
Defences for BYOVD (Bring Your Own Vulnerable Driver) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BYOVD (Bring Your Own Vulnerable Driver)?
Common alternative names include: Bring Your Own Vulnerable Driver, vulnerable driver abuse.
● Related terms
- malware№ 1059
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.
- defense-ops№ 413
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- vulnerabilities№ 964
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- cryptography№ 356
Digital Signature
A public-key cryptographic mechanism that proves the authenticity, integrity and non-repudiation of a message or document.
- attacks№ 688
Living off the Land
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.
- defense-ops№ 330
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.