What happened
Threat actors are increasingly exploiting a Windows attack technique known as Bring Your Own Vulnerable Driver (BYOVD), using legitimate but vulnerable drivers to gain kernel‑level access and terminate security processes, and critics say Microsoft’s current defenses, including driver blocklists and legacy compatibility policies, are insufficient to stop this rising threat.Â
Who is affected
Enterprises running Microsoft Windows environments, and the vendors and defenders responsible for endpoint security, are most at risk, as ransomware groups and other adversaries leverage BYOVD attacks to neutralize EDR, AV, and XDR protections before deploying malicious payloads.
Why CISOs should care
BYOVD undermines a core assumption of endpoint security by abusing trusted kernel drivers to disable defenses at the highest privilege level. Traditional protections like Microsoft’s Vulnerable Driver Blocklist are updated infrequently and may not block new or legacy vulnerable drivers, leaving gaps attackers can exploit. This trend increases the likelihood of successful ransomware and evasion campaigns across enterprise networks.
3 practical actions
- Strengthen driver control policies: Implement application whitelisting and strict driver integrity checks to prevent unauthorized or vulnerable drivers from loading.
- Enhance detection and monitoring: Tailor detection tools to flag unusual driver load events and escalations to SYSTEM privileges, and integrate these signals into your SIEM/XDR workflows.Â
- Diversify endpoint defenses: Adopt layered defenses that don’t rely solely on EDR/AV; include network segmentation, privilege management, and regular inventory of drivers to reduce exposure to BYOVD tactics.