54 EDR Killers Use BYOVD to Abuse 34 Signed Drivers

A recent security analysis has identified a significant surge in the use of ‘EDR killers’—malicious programs designed to neutralize security software at the kernel level. According to The Hacker News, 54 distinct EDR killer tools have been documented leveraging the ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique. These tools abuse a collection of 34 legitimate, signed drivers to gain unauthorized access to the Windows kernel and terminate EDR agents.

Technical Analysis of BYOVD Exploitation

The BYOVD technique represents a sophisticated TTP that bypasses the Driver Signature Enforcement (DSE) security feature in Windows. By loading a legitimate driver that is signed by a trusted Certificate Authority (CA) but contains a known vulnerability, attackers can execute code with kernel-level privileges. This high-level access allows the attacker to perform Privilege Escalation and interact directly with the operating system’s core memory structures.

Once a vulnerable driver is loaded, the EDR killer software exploits it to manipulate system handles, terminate processes, or delete registry keys associated with security solutions. Because the driver is technically ‘trusted’ by the OS, many traditional antivirus solutions fail to prevent the initial load. This methodology has become a staple in the Ransomware ecosystem, where affiliates seek to blind the SOC before initiating data exfiltration or encryption. The elimination of endpoint visibility prevents the generation of an IoC, which would otherwise alert responders to the presence of an APT or unauthorized actor.

Impact on Endpoint Security and Lateral Movement

The primary objective of these tools is defense evasion, categorized under MITRE ATT&CK technique T1562.001. By disabling security monitoring, attackers facilitate unhindered Lateral Movement across the victim’s infrastructure. Without an active EDR, the transition between compromised nodes becomes significantly harder to track through a centralized SIEM or logging platform.

Detection and Mitigation Steps for EDR Killers

Defenders must transition from signature-based detection to behavioral monitoring of driver installation events. Identifying the loading of drivers from unusual directories or drivers that appear on known vulnerable lists is a priority for modern threat hunting.

How to Detect BYOVD Exploit Attempts

Security teams should monitor Windows Event Logs, specifically Event ID 6 (Driver loaded) from Sysmon, to identify suspicious activity. To effectively address the threat, organizations need to understand how to detect BYOVD exploit attempts by correlating driver load events with known-bad hashes or non-standard file paths (such as \Temp\ or \Users\Public\). Furthermore, auditing for any attempts to modify the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CI\Config registry key can reveal attempts to weaken driver signature requirements.

Hardening the Kernel Environment

To prevent the execution of these tools, organizations should implement the following mitigation steps for EDR killers:

• Enable Microsoft Vulnerable Driver Blocklist: Ensure that the Windows Defender ‘Vulnerable Driver Blocklist’ is active and updated across all endpoints.
• Enforce Driver Signature Enforcement: Utilize Zero Trust principles by ensuring that only explicitly whitelisted drivers can be loaded into the environment.
• HVCI Compliance: Implement Hypervisor-Protected Code Integrity (HVCI) or Memory Integrity to ensure that kernel-mode code is only executed if it is verified as safe.

While no specific CVE IDs were linked to all 34 drivers in the primary research, many of these vulnerabilities stem from poor access control in IOCTL handlers. By proactively blocking these drivers, organizations can effectively neutralize the primary delivery mechanism for modern EDR killer tools.