Microsoft Under Pressure to Bolster Defences for BYOVD Attacks
Summary
Over the past year threat actors — notably ransomware groups — have stepped up use of bring-your-own-vulnerable-driver (BYOVD) attacks to neutralise endpoint defences. Attackers drop a vulnerable kernel driver onto a target, use its ring 0 privileges to terminate security processes, then deploy ransomware, info-stealers or backdoors.
Microsoft has layered kernel protections over time (Driver Signature Enforcement, Hardware Dev Center signing and a Vulnerable Driver Blocklist enabled by default since the Windows 11 2022 update). Yet a backwards-compatibility loophole permits cross-signed drivers issued before 29 July 2015 to load even if their certificates are expired or revoked — a gap exploited in a recent EnCase driver weaponisation where the certificate had been revoked in 2010.
The blocklist helps but is updated infrequently, and broad blocking risks breaking legitimate legacy use in sectors such as healthcare. That has pushed much of the detection and mitigation burden onto EDR vendors and individual organisations. Short-term options discussed include more frequent/cloud-updated blocklists, curated EDR blocking, the open-source LOLDrivers list and layered detections tuned to admin privilege escalation and driver-load indicators. Microsoft says it evaluates impact, works with partners and uses layered Microsoft Defender protections before blocking vulnerable versions. Part 2 of this series will examine how vendors and researchers are responding.
Key Points
- BYOVD attacks involve installing a vulnerable kernel driver to gain ring 0 access and disable security products before deploying payloads.
- Microsoft protections exist but allow older cross-signed drivers (pre-29 July 2015) to load, even if their certificates are expired or revoked.
- The EnCase driver case (certificate revoked in 2010) highlights how illogical gaps can be weaponised by attackers.
- The Vulnerable Driver Blocklist is enabled by default but is only updated intermittently, creating windows for exploitation.
- Blocking drivers globally risks disrupting legitimate legacy systems, forcing Microsoft to balance security and compatibility.
- Practical mitigations include more frequent/cloud-based blocklist updates, EDR vendor curation, using LOLDrivers, and layered detection focused on driver loads and escalation to admin privileges.
Why should I read this?
Quick heads-up: attackers are using ancient, legitimate drivers to switch off your EDR and make ransomware a lot easier. This piece explains the messy trade-off Microsoft faces — you can’t just ban everything without breaking business-critical kit — and what defenders can do now. Read it if you look after Windows endpoints; it saves you the time of digging through the technical detail yourself.