BYOVD (Vulnerable Driver) × Palo Alto Networks Cortex XDR

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-11-01

Config / version noted

Not stated

Provenance

unit42.paloaltonetworks.com
disclosed 2024-11-01 · original source · via exa
gurucul.com
disclosed 2024-11-13 · original source · via exa
gurucul.com
disclosed 2024-11-13 · original source · via raw

Reported as

threat actor testing an AV/EDR bypass tool against Cortex XDR ... uses a vulnerable driver to unhook user-mode and kernel-mode callbacks

Mechanism

The bypass tool (disabler.exe) loads a vulnerable driver (wnbios.sys or WN_64.sys) via BYOVD to gain kernel access, then removes EDR hooks in user-mode libraries and kernel-mode callbacks, aiming to disable detection by Cortex XDR.

Detection & mitigation

Monitor for the loading of known vulnerable drivers (e.g., wnbios.sys, WN_64.sys) via Sysmon Event ID 6 (driver loaded) or EDR telemetry, and block these drivers using Windows Defender Application Control or vulnerable driver blocklist policies to prevent kernel tampering.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.