Bring Your Own Vulnerable Driver (BYOVD)
MITRE ATT&CK™ Exploitation for Privilege Escalation - Technique T1068
Last updated
Was this helpful?
MITRE ATT&CK™ Exploitation for Privilege Escalation - Technique T1068
Last updated
Was this helpful?
As a security mechanism, Windows by default employs a feature called that ensures kernel-mode drivers have been signed by a valid code signing authority before Windows will permit them to run.
However, we may bring a signed vulnerable driver onto a compromised machine so that we can exploit the vulnerability to execute code in kernel mode.
That technique requires administrative privileges on the target.
Gaining kernel-mode access through vulnerable drivers exploit enables a bypass, allowing the termination of processes, such as EDR or AV tools.
is a tool capable of killing antimalware protected processes by leveraging sysinternals’ driver ().
is a vulnerable driver from Rogue Anti-Malware Driver 3.3. It can be abuse to kill a PPL process
is a C# AV/EDR Killer that exploit the truesight.sys driver. To exploit, first load and start the driver:
is a CPP AV/EDR Killer that exploit the truesight.sys driver. To exploit, you need to have the truesight.sys driver located at the same location as the executable.
terminate all EDR/XDR/AVs processes by abusing the driver. To exploit, place the driver Terminator.sys in the same path as the executable
A callout driver implements one or more . Callouts extend the capabilities of the by processing TCP/IP-based network data in ways that are beyond the scope of the simple filtering functionality. By exploiting such driver we can block outbound traffic from EDR processes.
leverages a legitimate WFP callout driver, , to effectively silence EDR systems. This project focuses on network-based evasion techniques.
is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also spoof the image path presented in the Driver Load event. To further masquerade the presence of a vulnerable driver, the attack also abuses an Emulated Filesystem Read-Only bypass to swap the content of a driver file on a mounted ISO before loading it.