BYOVD → kernel-level disable of EDR callbacks

§ Context

Assumed environment: foothold as local admin on a Windows host with a modern EDR. WDAC / driver-blocklist not enforced. Attacker carries a known-vulnerable signed driver (mhyprot, gdrv).

§ Steps

1. 01
   Local admin shellInitial Access

   T1078— Valid Accounts
2. 02
   Send IOCTL → arbitrary kernel R/WExecution

   T1059— Command and Scripting Interpreter
3. 03
   Dump LSASS — no detectionCredential Access

   W-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
4. 04
   Install + start vulnerable driverDefense Evasion

   EDR-BYOVD— BYOVD — Bring-Your-Own-Vulnerable-Driver
5. 05
   Unlink EDR callbacksDefense Evasion

   EDR-CALLBACK-REMOVE— Kernel Callback Removal

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter

§ Frequently asked

What is the "BYOVD → kernel-level disable of EDR callbacks" attack path?

From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Local admin shell (T1078) — a initial access primitive. Assumed environment: foothold as local admin on a Windows host with a modern EDR.

What is the final impact of this kill-chain?

The final step lands on Unlink EDR callbacks (EDR-CALLBACK-REMOVE), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Service account → SYSTEM via named-pipe impersonation

  Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.

• Shared techniques3

  UAC bypass → elevated admin on a workstation

  Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  Renderer compromise → GPU process → vulnerable kernel driver

  After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.

• Shared techniques2

  Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.