EDR-BYOVDDefense Evasion

BYOVD — Bring-Your-Own-Vulnerable-Driver

Load a signed-but-vulnerable kernel driver (mhyprot, gdrv, rwdrv) — kernel-level disable of EDR callbacks (KernelMode unloads).

§ Where this technique fits

EDR-BYOVD is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
step 2 / 5
Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
step 4 / 5

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×
02
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

BYOVD → kernel-level disable of EDR callbacks

Renderer compromise → GPU process → vulnerable kernel driver

§ What commonly comes next