BYOVD Explained: How Attackers Use Vulnerable Drivers to Bypass Endpoint Security

Feb 08, 2026

Modern endpoint protection tools, such as antivirus (AV) and Endpoint Detection and Response (EDR), are designed to stop sophisticated malware. Yet attackers have found a reliable way to neutralize these defenses without exploiting zero-day vulnerabilities or writing complex kernel malware.

This technique is called BYOVD: Bring Your Own Vulnerable Driver.

BYOVD attacks abuse legitimate, digitally signed but vulnerable kernel drivers to gain kernel-level control. This allows attackers to disable security products, evade detection, and prepare systems for ransomware or data theft.

This blog post explains:

What BYOVD is
Why it works
How attackers load vulnerable drivers
What attackers do once the driver is loaded
Why this threat is growing
How organizations can defend against it

What Is BYOVD (Bring Your Own Vulnerable Driver)?

BYOVD is an attack technique where adversaries:

Bring a legitimate but vulnerable kernel driver to a target system
Load it into the operating system
Abuse its flaws to perform privileged kernel-mode actions

Unlike traditional malware:

The driver is real software, not malicious code
It is often digitally signed, so Windows trusts it
The vulnerability lies in poorly designed driver functionality, not in Windows itself

Once loaded, the driver runs at Ring 0 (kernel level), which is the highest privilege level in the operating system.

Why Drivers Are So Powerful

Operating systems like Windows separate privileges into layers:

Level	Description
User mode	Applications (browsers, office apps, EDR agents)
Kernel mode	OS kernel and drivers
Ring 0	Full system control

EDR and antivirus products mostly run in user mode, even if they have self-protection mechanisms like:

Protected Process Light (PPL)
Tamper protection
Anti-termination safeguards

A kernel-mode driver can bypass all of these protections.

Why Old or Vulnerable Drivers Still Load

1. Digital Signature Trust

Windows enforces Driver Signature Enforcement (DSE):

Drivers must be digitally signed to load

However, many old drivers were signed before modern security standards existed. Some legacy drivers:

Were signed before July 2015
Have expired or revoked certificates
Are still accepted by Windows for compatibility reasons

2. Backward Compatibility

To avoid breaking old hardware and enterprise software:

Windows allows certain legacy signed drivers to load
Certificate revocation checks are not always enforced at load time

Attackers exploit this trust model.

How Attackers Use BYOVD (Step-by-Step)

Step 1: Initial Access

BYOVD is not usually the first step of an attack. Attackers typically gain access via:

Stolen VPN credentials
Phishing
Exploited remote services
Weak MFA configurations

Once they have administrator access, they move to driver abuse.

Step 2: Bringing the Vulnerable Driver

The attacker includes a driver that is:

Legitimate and signed
Known to expose dangerous IOCTL functions
Previously used by hardware vendors, forensic tools, or system utilities

Examples historically abused include: Forensic drivers, Hardware monitoring drivers, Debug or memory access drivers.

The driver is often:

Embedded inside a malware loader
Dropped to disk with benign-looking filenames
Timestamped to look old and legitimate

Step 3: Loading the Driver

Attackers load the driver by:

Writing it to disk (for example, C:\Windows\System32\drivers\)
Creating a Windows service entry for the driver
Starting the service, which loads the driver into kernel memory

This requires administrator privileges, which attackers typically already have at this stage. Because the driver is signed, Windows allows it to load.

Step 4: Abusing the Driver

Once loaded, attackers interact with the driver using IOCTL (Input/Output Control) requests. Poorly designed drivers may allow:

Arbitrary process termination
Kernel memory read and write
Disabling callbacks and protections
Access to physical memory
Bypassing Protected Process Light (PPL)

Using these capabilities, attackers can:

Kill EDR and AV processes
Disable security services
Blind monitoring and logging tools

This phase is often called an EDR killer stage.

Step 5: Follow-On Attack

With endpoint protection disabled, attackers can safely:

Deploy ransomware
Steal credentials and data
Establish persistence
Move laterally across the network

At this point, the attack becomes much harder to detect or stop.

Why BYOVD Is Increasing

Several factors have made BYOVD popular:

High Reliability: Works across many Windows versions and does not rely on zero-day exploits.
Low Detection: Uses legitimate signed drivers, so no exploit payloads or shellcode are required.
Reusability: The same vulnerable driver can be reused in many campaigns.
EDR Evasion: Directly targets security tools instead of trying to evade them.

As a result, BYOVD has been adopted by ransomware groups, initial access brokers, and advanced persistent threat (APT) actors.

Platforms Affected

Although most public cases focus on Windows, the concept applies broadly:

Windows: Most common due to the size of the driver ecosystem
Linux: Kernel module abuse is possible with misconfigurations
macOS: Kernel extensions (KEXTs) have been abused historically, though protections have improved

How Organizations Can Defend Against BYOVD

Enable Vulnerable Driver Blocklists: Microsoft maintains a known vulnerable driver blocklist. Works best when Memory Integrity (HVCI) is enabled.
Enforce Driver Control Policies: Use Windows Defender Application Control (WDAC) to allow only approved drivers.
Monitor Driver Load Events: Watch for new or unexpected .sys files, drivers loaded outside normal software installations, and drivers associated with forensic or hardware tools not used in your environment.
Harden Initial Access: Enforce MFA on VPNs and remote access, patch internet-facing services, and monitor for credential abuse.
Defense in Depth: Combine endpoint security, identity protection, and logging. Monitor for signs of EDR tampering.
Add alerting for when an EDR solution stops sending telemetry. This is a critical signal that tampering may have occurred.

Key Takeaways

BYOVD is not malware. It is abuse of trust.
Old, signed drivers can provide attackers with kernel-level control.
This technique allows attackers to disable EDR and AV reliably.
BYOVD is now a mainstream tactic in ransomware and targeted attacks.
Defense requires driver control, monitoring, and strong access security.

Vulnerable Drivers Seen in 2025–2026 Campaigns

This table provides a reference of vulnerable kernel drivers that were documented or observed as abused in 2025–2026 (BYOVD candidates and those seen in real attacks). This is not exhaustive, but it collects the drivers and CVEs that security reporting and incident responders called out during 2025–2026.

Driver / Artifact	Vendor / Source	CVE(s) / Notes	Observed / Reported Campaigns	Short Description	Mitigation & Hunting Signals
BdApiUtil.sys	Baidu Antivirus (driver component)	CVE-2024-51324	DeadLock ransomware BYOVD usage reported	Signed AV driver with privilege/control weaknesses repurposed to disable EDR/AV.	Block known file names; add to vulnerable driver blocklist; hunt for unexpected copies; enable HVCI/Memory Integrity.
TfSysMon.sys	ThreatFire System Monitor (legacy)	CVE-2025-61156	BYOVD-style abuse reported	Driver exposes IOCTLs that allow arbitrary process/kernel interactions.	Patch/remove vendor software; monitor IOCTL calls and driver load events; add to blocklist if unneeded.
WatchDog / amsdk.sys	Microsoft-signed antimalware driver family	Revoked / legacy-signed drivers	Silver Fox / ValleyRAT campaigns	Even Microsoft-signed drivers can be repurposed if legacy behaviors exist.	Correlate driver loads with agent health events; treat unexpected antimalware driver loads as high priority.
POORTRY	Custom / observed in incident	No public CVE	Osiris ransomware case	Adversary-supplied custom driver acting as vulnerable kernel module to disable EDR.	Detect driver service creation from non-standard installers; hunt for scripts that write .sys files; isolate infected hosts quickly.
WinRing0.sys family	Multiple hardware / performance tools	Historically flagged	BYOVD candidate in research	Hardware access drivers that expose ring-0 primitives (I/O, physical memory).	Remove unneeded overclock/monitoring tools on servers; inventory approved drivers; watch for variants.
Lenovo OEM drivers	OEM vendor drivers	e.g., CVE-2025-8061	Research/PoC abuse	Some OEM drivers expose unsafe I/O / memory primitives.	Patch via OEM updates; remove on non-workstation endpoints; use blocklist policies.
cldflt.sys	Microsoft / Cloud Files	CVE-2025-62221	Local privilege escalation	Mini-filter driver with exploitable privilege escalation vector.	Apply security updates; monitor exploit patterns.
CLFS kernel driver	Windows Common Log File System	CVE-2025-29824	Ransomware/privilege escalation	Kernel component exploited for escalation.	Apply MS advisories/patches immediately; monitor API use.
IoAccess.sys, etc.	Various legacy/third-party	Historically documented	BYOVD candidate catalogs	Legacy signed drivers with unsafe IOCTLs or memory access.	Use Microsoft Vulnerable Driver Blocklist; remove nonessential drivers; alert on unexpected loads.
Other OEM/utility drivers	Various	Various CVEs	Red-team research	Signed drivers with unsafe IOCTLs/memory primitives.	Maintain driver whitelist; use WDAC; enable driver load auditing.

Hunting for Drivers

1. Start With the Attacker Kill Chain

BYOVD rarely happens in isolation. Most attacks follow this pattern:

Initial access (VPN, phishing, exposed service)
Privilege escalation to administrator
Suspicious driver dropped
Kernel driver loaded
Security tools disabled
Payload deployment (ransomware, C2, exfiltration)

Threat hunting should focus on steps 3–5, where mistakes are most visible.

2. Hunt for Suspicious Driver Files

What to Look For: Drivers (.sys files) appearing in unusual contexts:

Written outside of standard installation workflows
Dropped by scripting engines or unsigned binaries
Copied into System32\drivers manually

High-Signal Locations:

C:\Windows\System32\drivers\
C:\Windows\Temp\
C:\ProgramData\
C:\Users\Public\

Suspicious Characteristics:

Driver filenames mimicking legitimate vendors
Very old compile timestamps (2005–2012)
No associated installed software
Drivers appearing shortly before EDR failures

Hunting Questions: Why was this driver installed? Which process wrote it to disk? Is it part of approved hardware or software?

3. Hunt for Unexpected Driver Loads

Windows Events to Monitor:

Service creation events (new kernel driver services)
Driver load events (kernel module loaded)
Code integrity logs (blocked or audited driver loads)

High-Risk Indicators:

Drivers loaded outside maintenance windows
Forensic, debugging, or hardware drivers on endpoints
Drivers loaded shortly after VPN logins or privilege escalation

Threat Hunting Tip: Create a baseline of normal drivers in your environment. Anything outside that list deserves investigation.

4. Hunt for Security Tool Tampering

BYOVD is often used as an EDR killer.

Indicators of Driver-Based EDR Killing:

Multiple security services stopped in seconds
AV/EDR processes terminated despite tamper protection
Kernel callbacks suddenly disappearing
EDR reporting “agent unhealthy” or “sensor offline”

Hunting Query Ideas:

Security processes exiting with abnormal exit codes
Service stop events for multiple vendors in short time windows
Endpoint protection disabled without user interaction

These are late indicators, but still valuable for correlation.

5. Hunt for Driver Installation via Non-Standard Processes

High-Risk Parent Processes: Driver installation triggered by:

powershell.exe
cmd.exe
wmic.exe
mshta.exe
Custom loaders or unknown executables

Why This Matters: Legitimate drivers are usually installed by vendor installers, Windows Update, or hardware setup utilities. Anything else is suspicious.

6. Hunt for Known Vulnerable Driver Artifacts

Common Patterns in BYOVD Campaigns: Reused vulnerable drivers, slightly renamed .sys files, vulnerable drivers embedded in malware loaders.

What to Do: Maintain a rolling list of known-abused drivers and hunt by original driver names, exported function names, IOCTL patterns, and file metadata, not just hashes.

7. Hunt for IOCTL Abuse (Advanced)

This is harder, but high value. BYOVD drivers expose IOCTL interfaces that kill processes, read/write kernel memory, or disable protections.

Detection Options: Kernel telemetry, driver communication anomalies, EDR kernel-level behavioral alerts, sudden termination of protected processes after driver load. This is typically Tier 3 / advanced hunting.

8. Correlate with Identity and Access Signals

BYOVD requires admin access.

High-Confidence Correlations: VPN login → admin token → driver load; Privilege escalation → driver install within minutes; Local admin account created shortly before driver load. If these appear together, escalate immediately.

9. Sample Hunting Hypotheses

Use hypotheses to guide hunts: “An attacker loaded a legacy signed driver to disable EDR,” “A driver was installed without a legitimate business purpose,” “A vulnerable driver enabled termination of protected processes.” Good threat hunting is question-driven, not alert-driven.

10. Detection vs. Prevention Reality

Control	Effectiveness
Signature-based AV	Low
EDR behavior rules	Medium
Driver blocklists	High
WDAC / HVCI	Very High
Threat hunting	Critical

BYOVD often succeeds because prevention controls are misconfigured, not because they don’t exist.

11. When to Escalate Immediately

Escalate to incident response if you find: unknown driver loaded + security tools failing; driver loaded after VPN login + privilege escalation; legacy driver with process-kill capability; multiple endpoints showing similar driver artifacts. BYOVD usually indicates hands-on-keyboard activity, not commodity malware.

Final Takeaways for Threat Hunters

Hunt the driver, not the malware
Look for why a driver exists, not just what it is
BYOVD leaves fewer artifacts but higher-impact ones
Early detection is possible before ransomware deployment
Driver telemetry is now a core hunting data source