BYOVD (Vulnerable Driver) × CrowdStrike Falcon

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

poc

Disclosed

2026-04-05

Config / version noted

Not stated

Provenance

threatlabsnews.xcitium.com
disclosed 2026-04-21 · original source · via exa
medium.com
disclosed 2026-04-05 · original source · via exa
teamwin.in
disclosed 2026-04-14 · original source · via raw
medium.com
disclosed 2026-04-05 · original source · via raw

Reported as

PoisonX.sys ... can terminate protected processes like CrowdStrike Falcon

Mechanism

The PoisonX.sys driver, signed by Microsoft, contains a dispatch handler for IOCTL 0x22E010 that reads a PID string from user input, converts it to an integer, and calls ZwOpenProcess/ZwTerminateProcess from kernel mode. Because kernel-mode ZwOpenProcess ignores PPL restrictions, it can terminate protected processes like CrowdStrike Falcon. Attackers load the driver via BYOVD, open the device \\.\{F8284233-48F4-4680-ADDD-F8284233}, and send the IOCTL with the target PID.

Detection & mitigation

Monitor for the loading of new or unsigned kernel drivers via Sysmon Event ID 6 (driver load) and Event ID 7 (image load) with suspicious metadata or hashes. Block known vulnerable drivers using Windows Defender Application Control (WDAC) or Microsoft's vulnerable driver blocklist to prevent exploitation.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.