BYOVD (Vulnerable Driver) × other EDR vendors Windows MiniFilter-based EDR drivers

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing other EDR vendors Windows MiniFilter-based EDR drivers, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

other EDR vendors Windows MiniFilter-based EDR drivers

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-09-18

Config / version noted

Not stated

Provenance

cybersecuritynews.com
disclosed 2024-09-18 · original source · via exa
cyberpress.org
disclosed 2024-09-18 · original source · via exa
cyberpress.org
disclosed 2024-09-18 · original source · via raw
gbhackers.com
disclosed 2024-09-18 · original source · via raw

Reported as

The issue affects multiple EDR vendors

Mechanism

By modifying the registry to assign an EDR driver's Altitude to another MiniFilter that loads earlier, the attacker prevents the EDR driver from registering with the Filter Manager. This blocks kernel callbacks and disables telemetry. The attack requires local admin or system privileges to alter registry settings. A variant using different registry types (e.g., REG_MULTI_SZ) bypassed initial mitigations, but that bypass has since been patched.

Detection & mitigation

Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\<driver>\Instances for changes to the 'Altitude' value, especially for known EDR drivers. Alert on unexpected Altitude assignments or conflicts, and enforce integrity checks on driver load order configurations.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.