VYPR
researchPublished Jul 1, 2026· 1 source

Attackers Weaponize Trusted Windows Drivers to Disable Security Software

Threat actors are increasingly leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus and EDR solutions, gaining kernel-level privileges to bypass defenses.

Attackers are increasingly abusing trusted Windows drivers to disable antivirus (AV) and endpoint detection and response (EDR) tools, employing a technique known as Bring Your Own Vulnerable Driver (BYOVD). Once a niche method, BYOVD has rapidly become a standard tactic in modern ransomware campaigns, granting threat actors the highest privilege level in Windows environments. Security researchers note that defense evasion is now a critical phase in cyber intrusions, with attackers directly targeting and disabling security controls rather than merely avoiding detection.

BYOVD exploits legitimate, digitally signed Windows drivers that contain known vulnerabilities. Because these drivers are trusted by the operating system, they can be loaded without triggering immediate alarms. Windows operates with two privilege levels: user mode and kernel mode. While user mode restricts applications, kernel mode offers near-complete control over the system. By utilizing a vulnerable driver, attackers can execute malicious actions within kernel mode. For instance, after gaining administrative access, an attacker can install a signed but flawed driver and send it specially crafted commands to exploit its weaknesses.

The most common outcome of a BYOVD attack is the termination of AV or EDR processes. In other scenarios, attackers may subtly degrade security tools by stripping permissions or modifying kernel structures, causing monitoring systems to cease generating alerts. This effectively blinds defenses while maintaining the appearance that they are still operational. The accessibility of BYOVD is high, with hundreds of vulnerable drivers publicly documented and new ones continually emerging.

Open-source and underground tools such as TrueSightKiller, GhostDriver, and AuKill automate the process of abusing these drivers to terminate security processes. Some ransomware groups now integrate BYOVD capabilities directly into their payloads, reducing the need for separate tooling. While BYOVD is prevalent, attackers also employ alternative methods to achieve similar outcomes.

Windows includes a protection mechanism called Protected Process Light (PPL) that prevents tampering with security services. However, attackers can bypass this by suspending protected processes instead of terminating them. A suspended security tool stops functioning but appears to be running normally, preventing automatic recovery. Another technique involves exploiting Windows trust hierarchies; if attackers gain control of a higher-trust process, they can manipulate or terminate lower-trust security services. Some campaigns also disrupt communication between endpoint agents and cloud-based intelligence services, weakening detection without altering the local agent.

Microsoft has introduced several kernel hardening features, including Kernel Address Space Layout Randomization (KASLR), Hypervisor-Protected Code Integrity (HVCI), and Kernel Control Flow Guard (KCFG). While these features mitigate certain attack classes, they do not effectively stop BYOVD. This is because attackers are modifying existing data structures rather than injecting new kernel code, a method that bypasses many of these protections. Microsoft does not always treat administrator-to-kernel escalation as a strict security boundary, meaning many BYOVD techniques may not receive immediate patches or CVE assignments.

Defensive efforts, such as Microsoft’s vulnerable driver blocklist and signature-based detection, offer only limited protection. Blocklists often lag behind newly discovered drivers, and attackers can quickly switch to alternative drivers or modify their tools to evade detection. A more effective approach is behavioral monitoring, which analyzes how drivers are used rather than focusing solely on known malicious drivers. Detecting unusual input/output control (IOCTL) requests, such as commands attempting to terminate security processes, can reveal BYOVD activity regardless of the specific driver involved. As BYOVD continues to evolve, defenders are shifting toward proactive detection strategies, with monitoring driver behavior potentially closing the gap and limiting attackers' ability to disable critical security controls.

Synthesized by Vypr AI