Blocking BYOVD Techniques to Prevent AV/EDR/XDR Bypasses

Technically savvy threat actors have long favored vulnerable drivers for bypassing security controls to create a shell, execute malware, and establish persistence.  

The reason is simple; the drivers are signed with a valid Microsoft certificate and therefore run with kernel-level privileges. Translation: they are really difficult to detect.

In some instances, attackers have been observed installing drivers as kernel-level services by leveraging Microsoft RPC (Remote Procedure Call) instead of through Windows APIs in order to evade any active API monitoring.  

In 2023, a threat actor with the handle Spyboy introduced a Bring Your Own Vulnerable Driver (BYOVD) attack tool dubbed Terminator that could bypass just about every AV/EDR/XDR solution on the market. The tool was made available on Russian cybercrime forums for as little as $300 USD and caused a lot of worry at the time.

Analysis by CrowdStrike revealed that the Terminator tool drops a legitimately signed kernel driver into C:\Windows\System32\, and after the driver is written to the disk, the Terminator tool loads it and then leverages the kernel-level privileges to bypass AV and EDR software.

Once an attacker has kernel-level access, they can perform all kinds of actions, including launching malware disguised as a legitimate DLL through legitimate Windows Defender binaries.

Old BYOVD Tricks

BYOVD exploits which leverage flaws in vulnerable drivers to execute code with kernel-level privileges that can bypass security software are nothing new.  

North Korean APT Lazarus Group was one of the first to be observed leveraging vulnerable drivers back in 2021 to blind security tools, and more recently the Cuba and D0nut ransomware gangs were found using vulnerable drivers to kill processes associated with security tools and capitalize on the kernel-level access to escalate privileges for other actions.

Leading EDR solutions will tout their ability to hunt for, detect, and remove vulnerable drivers through various means. This includes using custom rules to detect artifacts associated with known samples of malicious drivers, or when they are written to disk based on the MD5 value. They can also perform hash searches based on a list of known vulnerable driver hashes. But this is all very time-consuming and really unnecessary.

EDR/XDR solutions are not responsible for enforcing secure coding practices, they are important tools for detecting and responding to security incidents, including potential bypass attempts. Their effectiveness in this role depends on how they are integrated into a comprehensive security strategy.

It's beneficial that Microsoft offers a simpler and more effective method to defend against the exploitation of vulnerable drivers with kernel-level privileges, even if this solution doesn't receive much media attention.  

Microsoft Vulnerable Driver Block List

Microsoft is strict about what code can run at the kernel level, and they have been aware that threat actors have exploited vulnerabilities in legitimately signed kernel drivers to execute malware for quite some time.  

To combat this, Microsoft has strong ties with hardware vendors and OEMs to proactively secure drivers through a regularly updated vulnerable driver blocklist to defend against vulnerable driver exploits.

And ever since 2022, a vulnerable driver blocklist has been available, which can be enabled through the Windows Security application. Once activated, the blocklist is even enforced when Smart App Control, S mode, or memory integrity are active.  

The blocklist is updated several times per year, and the Windows Defender Application Control (WDAC) can be used at any time to update to the latest blocklist.

Every security team should ensure that Microsoft HVCI or S mode are enabled to protect against infection via vulnerable drivers signed with valid certs. Microsoft also recommends blocking these drivers through Windows Defender Application Control policies.

The steps for downloading and applying the Microsoft Vulnerable Driver Blocklist binary are available here and though the Microsoft Download Center. Running processes aren't shutdown when activating a new WDAC policy without reboot, so if any vulnerable drivers are already running that should be blocked when implementing the policy, you will need to reboot the device in order for those vulnerable drivers to be blocked.

If you have not been proactive about blocking vulnerable drivers in your environment that can facilitate security tool bypasses, you can opt to use your EDR/XDR to go hunt for artifacts and then kill the associated driver processes one by one, but that’s an overly complicated approach.

Every security team should follow the advice from Microsoft and simply enable the application block list to stay up to date on blocks for vulnerable drivers. Once enabled, a simple reboot to kill any vulnerable drivers running on the device.

If you have any questions about the how and why of enabling the Microsoft application blocklist, feel free to reach out to a Halcyon expert today and we’ll be happy to guide you through the process.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.