Kernel‑driver BYOVD bypass

A Windows driver is the software layer that lets the operating system talk to hardware, and those drivers run in the kernel, the part of Windows with the highest privileges. Microsoft and the Cybersecurity and Infrastructure Security Agency both warn that attackers abuse signed but vulnerable drivers to gain that level of access. (cisa.gov) That is the setup behind the latest disclosure: researcher Jehad Abudagga wrote on Medium in April 2026 that he reverse engineered a kernel driver used against CrowdStrike endpoint detection and response software and identified “15+ variants” with the same code. He said the drivers were Microsoft-signed, still valid, and not blocked or revoked when he examined them. (medium.com) Abudagga said one control code in the driver, `0x22E010`, led to a routine that accepts a process identifier and calls Windows kernel functions to open and terminate that process. He wrote that this kernel path can kill protected security processes that ordinary user-mode tools cannot stop. (medium.com) CrowdStrike had already described this attack pattern in a December 2, 2024 blog post, saying bring your own vulnerable driver attacks had “escalated significantly” over the prior 18 months. The company said one customer intrusion in September 2024 involved six vulnerable drivers brought onto endpoints in an attempt to bypass the Falcon sensor. (crowdstrike.com) Microsoft has framed the same problem as a trust issue inside the Windows kernel: driver signature enforcement blocks unsigned kernel code, so attackers look for signed drivers with flaws and use those flaws as a way in. In an April 9, 2024 security blog, Microsoft said bring your own vulnerable driver activity has been used by nation-state groups for years and became more common in ransomware operations starting in 2020. (techcommunity.microsoft.com) Public tooling has also made the technique easier to study and reuse. A GitHub repository called BYOVD, updated and indexed this month, describes itself as a collection of proof-of-concept programs for exploiting vulnerable drivers to disable antivirus and endpoint detection and response products, with separate “killer” modules for multiple drivers. (github.com) Defenders already have a partial control for this: Microsoft’s recommended driver block rules and vulnerable driver blocklist. Microsoft Learn says the list can be updated when researchers or vendors report a driver, but Microsoft also warns that blocking drivers can break hardware or software and, in rare cases, trigger system crashes. (learn.microsoft.com) Microsoft support documentation says the vulnerable driver blocklist is enforced when Hypervisor-protected Code Integrity, also called memory integrity, or Windows S Mode is active. CISA says organizations can also watch driver-load events, service creation, and security processes terminated by drivers to spot abuse earlier. (support.microsoft.com, cisa.gov) The new disclosure does not show a new weakness in the idea of endpoint detection alone; it shows how much trust Windows still extends to signed kernel code. As more signed drivers are turned into process killers, the practical question for defenders is no longer whether bring your own vulnerable driver attacks exist, but which signed drivers are still allowed to load on their machines. (medium.com, techcommunity.microsoft.com)