BYOVD (Vulnerable Driver) × Microsoft Windows Defender

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-07-16

Config / version noted

Not stated

Provenance

trustedsec.com
disclosed 2024-07-16 · original source · via exa

Reported as

Killer Ultra malware ... terminates endpoint security tools ... targets Microsoft Defender

Mechanism

Killer Ultra unpacks a vulnerable Zemana driver (amsdk.sys) to disk, creates a service, and uses kernel-level permissions via CVE-2024-1853 to terminate processes of targeted security products. It also performs userland unhooking by overwriting NTDLL from notepad.exe and disables ETW events.

Detection & mitigation

Monitor for service creation (Event ID 7045) loading known vulnerable drivers like amsdk.sys, and alert on process termination of security products by non-system processes. Block vulnerable driver hashes and enforce driver blocklist policies (e.g., WDAC) to prevent loading.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.