Back to All Posts Blocking BYOVD Techniques to Prevent AV/EDR/XDR Bypasses RESEARCH Written by Halcyon RISE Team Published on Jun 11, 2024 Technically savvy threat actors have long favored vulnerable drivers for bypassing security controls to create a shell, execute malware, and establish persistence. The reason is simple; the drivers are signed with a valid Microsoft certificate and therefore run with kernel-level privileges. Translation: they are really difficult to detect. In some instances, attackers have been observed installing drivers as kernel-level services by leveraging Microsoft RPC (Remote Procedure Call) instead of through Windows APIs in order to evade any active API monitoring. In 2023, a threat actor with the handle Spyboy introduced a Bring Your Own Vulnerable Driver (BYOVD) attack tool dubbed Terminator that could bypass just about every AV/EDR/XDR solution on the market. The tool was made available on Russian cybercrime forums for as little as $300 USD and caused a lot of worry at the time. Analysis by CrowdStrike revealed that the Terminator tool drops a legitimately signed kernel driver into C:\Windows\System32\, and after the driver is written to the disk, the Terminator tool loads it and then leverages the kernel-level privileges to bypass AV and EDR software. Once an attacker has kernel-level access, they can perform all kinds of actions, including launching malware disguised as a legitimate DLL through legitimate Windows Defender binaries. Old BYOVD Tricks BYOVD exploits which leverage flaws in vulnerable drivers to execute code with kernel-level privileges that can bypass security software are nothing new. North Korean APT Lazarus Group was one of the first to be observed leveraging vulnerable drivers back in 2021 to blind security tools, and more recently the Cuba and D0nut ransomware gangs were found using vulnerable drivers to kill processes associated with security tools and capitalize on the kernel-level access to escalate privileges for other actions. Leading EDR solutions will tout their ability to hunt for, detect, and remove vulnerable drivers through various means. This includes using custom rules to detect artifacts associated with known samples of malicious drivers, or when they are written to disk based on the MD5 value. They can also perform hash searches based on a list of known vulnerable driver hashes. But this is all very time-consuming and really unnecessary. EDR/XDR solutions are not responsible for enforcing secure coding practices, they are important tools for detecting and responding to security incidents, including potential bypass attempts. Their effectiveness in this role depends on how they are integrated into a comprehensive security strategy. It's beneficial that Microsoft offers a simpler and more effective method to defend against the exploitation of vulnerable drivers with kernel-level privileges, even if this solution doesn't receive much media attention. Microsoft Vulnerable Driver Block List Microsoft is strict about what code can run at the kernel level, and they have been aware that threat actors have exploited vulnerabilities in legitimately signed kernel drivers to execute malware for quite some time. To combat this, Microsoft has strong ties with hardware vendors and OEMs to proactively secure drivers through a regularly updated vulnerable driver blocklist to defend against vulnerable driver exploits. And ever since 2022, a vulnerable driver blocklist has been available, which can be enabled through the Windows Security application. Once activated, the blocklist is even enforced when Smart App Control, S mode, or memory integrity are active. The blocklist is updated several times per year, and the Windows Defender Application Control (WDAC) can be used at any time to update to the latest blocklist. Every security team should ensure that Microsoft HVCI or S mode are enabled to protect against infection via vulnerable drivers signed with valid certs. Microsoft also recommends blocking these drivers through Windows Defender Application Control policies. The steps for downloading and applying the Microsoft Vulnerable Driver Blocklist binary are available here and though the Microsoft Download Center. Running processes aren't shutdown when activating a new WDAC policy without reboot, so if any vulnerable drivers are already running that should be blocked when implementing the policy, you will need to reboot the device in order for those vulnerable drivers to be blocked. If you have not been proactive about blocking vulnerable drivers in your environment that can facilitate security tool bypasses, you can opt to use your EDR/XDR to go hunt for artifacts and then kill the associated driver processes one by one, but that’s an overly complicated approach. Every security team should follow the advice from Microsoft and simply enable the application block list to stay up to date on blocks for vulnerable drivers. Once enabled, a simple reboot to kill any vulnerable drivers running on the device. If you have any questions about the how and why of enabling the Microsoft application blocklist, feel free to reach out to a Halcyon expert today and we’ll be happy to guide you through the process. ‍ Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site. Get a Demo SHARE THIS POST Related Posts See All Blog Posts JAN 29, 2026 Industry From Cybercrime to Conflict: Why Infrastructure Defenders Must Rethink Risk NOV 28, 2025 Industry Building Cyber Resiliency in Today’s Chaotic Business Environment In today’s threat landscape - where AI accelerates attacker innovation, supply chain compromises ripple across industries, and ransomware can halt nationwide operations, cyber resiliency is no longer a competitive advantage but a business imperative. NOV 24, 2025 Industry The Boardroom Blind Spot: How CISOs Can Bridge the Cyber Resilience Knowledge Gap The Boardroom Blind Spot: How CISOs Can Bridge the Cyber Resilience Knowledge Gap NOV 7, 2025 Company The Quick Guide to Ransomware Resilience See Halcyon in action Interested in getting a demo? Fill out the form to meet with a Halcyon Anti-Ransomware Expert! * Business Email * First Name * Last Name * Phone Number * Company Name * Job Title * Country Select... United States Canada United Kingdom Afghanistan Aland Islands Albania Algeria Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia, Plurinational State of Bonaire, Sint Eustatius, and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, the Democratic Republic of the Cook Islands Costa Rica Cote d’Ivoire Croatia Curaçao Cyprus Czechia Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Eswatini Ethiopia Falkland Islands (Malvinas) Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See (Vatican City State) Honduras Hungary Iceland India Indonesia Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Republic of Kosovo Kuwait Kyrgyzstan Lao People’s Democratic Republic Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao Madagascar Malawi Malaysia Maldives Mali Malta Martinique Mauritania Mauritius Mayotte Mexico Moldova, Republic of Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Macedonia Norway Oman Pakistan Palestine Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Qatar Reunion Romania Russian Federation Rwanda Saint Barthélemy Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Martin (French part) Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Sint Maarten (Dutch part) Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands South Sudan Spain Sri Lanka Suriname Svalbard and Jan Mayen Sweden Switzerland Taiwan Tajikistan Tanzania, United Republic of Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Türkiye Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Venezuela, Bolivarian Republic of Vietnam Virgin Islands, British Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Submit