Bring Your Own Vulnerable Driver (BYOVD) is a technique for loading a legitimate driver with a valid digital signature, but containing known vulnerabilities, into the target system. The name is a riff on Bring Your Own Device (BYOD), a widespread corporate policy that allows employees to bring their own digital devices to work. With BYOVD, instead of searching for vulnerable drivers in the target system, attackers “bring” their own.
Threat actors are interested in drivers that run at the same privilege level as the OS kernel. The latest versions of Windows check the digital signature of drivers, and prohibit kernel-level loading of drivers that are unsigned or have invalid certificates. BYOVD allows attackers with administrator privileges in the system to install a legitimate signed driver containing known vulnerabilities, bypassing protection, and to execute arbitrary code at the kernel level.
BYOVD is leveraged both by APT groups and by financially motivated cybercriminals, such as cryptomalware operators.
Why BYOVD?
BYOVD is often used to neutralize security solutions (such attacks and the tools behind them are known as “AV/EDR killers”). Having gained kernel-level access to the system, attackers can forcibly terminate the protected processes of antivirus and EDR solutions, remove event interceptors (hooks), and block telemetry transmission. The result is that malware and other attacker activity go undetected.
Access to the kernel through a vulnerable driver also allows attackers to hide traces of their presence, achieve persistence in the system, and bypass digital signature verification when loading malicious code.
Anti-BYOVD measures
Countering BYOVD is hampered by the fact that installing a driver for monitoring systems appears legitimate: the administrator runs a trusted file from a trusted vendor. Nevertheless, there are several ways to combat this technique.
- Blocklists compiled and maintained by Microsoft and security solution developers. These lists contain information about known vulnerable drivers and their certificates. In recent versions of Windows, downloading drivers from the Microsoft Vulnerable Driver Blocklist is prohibited by default.
- Virtualization-based Security (VBS) and Hypervisor-protected Code Integrity (HVCI). These features create a protected environment for kernel code verification, and make it hard to exploit vulnerable drivers.
- Principle of Least Privilege (PoLP). Administrator privileges are typically required to load a driver, and PoLP creates obstacles for attackers trying to obtain them.