Listen to this Post
Introduction:
Attackers are no longer fighting your security tools with fragile user‑mode exploits. They are loading a single, legitimate‑looking kernel driver that runs with Windows’ highest privileges, then using it to unceremoniously terminate your EDR, your AV, and any process that gets in their way. In April 2026, a campaign dubbed “PoisonX” targeted Japanese organizations using this exact “Bring Your Own Vulnerable Driver” (BYOVD) technique, deploying a signed kernel driver called `PoisonX.sys` that exposes a dangerous IOCTL interface capable of killing arbitrary processes from kernel mode.
Learning Objectives:
– Understand how attackers weaponize legitimate but vulnerable kernel drivers to disable security products.
– Detect and block BYOVD attacks like PoisonX using Windows native tools and PowerShell.
– Implement proactive mitigations including WDAC, driver block rules, and event monitoring.
You Should Know:
1. Unpacking the PoisonX Attack Chain
The PoisonX campaign begins with a deceptively simple spear‑phishing email. The message, impersonating an HR representative, contains a link to a malicious ZIP or RAR archive hosted on Google Cloud Storage. When the user downloads and extracts the archive, they are presented with a decoy file designed to distract them while an LNK shortcut silently executes a downloader. That downloader uses legitimate system tools like `curl.exe` to fetch the final payload: a dropper named “PXDropper”. Once on the system, PXDropper writes two core components to disk:
– `PoisonX.sys` – the signed kernel driver.
– `10FXRAT` (aka PoisonX RAT) – a full‑featured remote access tool.
After dropping both files, the dropper loads `PoisonX.sys` into the kernel. At that moment, the attacker has effectively placed a remote‑controlled kill switch inside the highest‑privilege layer of the operating system.
How the PoisonX Driver Works
After the driver is loaded, a user‑mode component sends a specific IOCTL request (`0x22E010`) along with a target Process ID (PID). The driver receives this request and, operating with kernel privileges, forcibly terminates the target process without any warning or confirmation. The symbolic link used to communicate with the driver has been identified as:
`\\.\{F8284233-48F4-4680-ADDD-F8284233}`
This interface can be used by any process that obtains a handle to the driver’s device object, meaning once the driver is loaded, the attacker (or any malware with sufficient privileges) can kill any process on the system.
Step‑by‑Step: Simulating the Attack (for Testing and Detection Tuning)
> ⚠️ WARNING: The following steps are for educational and defensive tuning purposes only. Do not execute these commands on production systems without explicit authorization.
1. Extract the driver interface – Using a tool like `WinObj.exe` (from Sysinternals), locate the device link.
.\WinObj.exe
Look for the device with the name `\Device\{F8284233-48F4-4680-ADDD-F8284233}`.
2. Load the driver (if not already loaded) – In a real attack, this is done by the malware. For analysis:
sc create PoisonX type=kernel binPath=C:\path\to\PoisonX.sys sc start PoisonX
3. Interact with the driver – A simple C++ snippet that sends a kill command:
HANDLE hDevice = CreateFile(L"\\\\.\\{F8284233-48F4-4680-ADDD-F8284233}",
GENERIC_READ | GENERIC_WRITE,
0, NULL, OPEN_EXISTING, 0, NULL);
DWORD pid = 1234; // target process ID
DWORD bytesReturned;
DeviceIoControl(hDevice, 0x22E010, &pid, sizeof(pid),
NULL, 0, &bytesReturned, NULL);
Detection Techniques
To detect the presence of `PoisonX.sys` or similar malicious drivers:
– List all loaded drivers and check their signatures:
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} |
Where-Object {$_.Message -like 'PoisonX'} |
Format-List
Event ID 7045 logs every new driver service installation.
– Search for the specific device interface:
Get-WmiObject Win32_SystemDriver |
Where-Object {$_.PathName -like 'PoisonX'} |
Select-Object Name, State, PathName
– Monitor for anomalous process termination patterns – If security processes (e.g., `MsMpEng.exe`, `CrowdStrike.exe`) begin terminating unexpectedly, correlate with recent driver load events.
2. Mastering BYOVD Defense: Block, Detect, and Harden
Bring Your Own Vulnerable Driver attacks like PoisonX exploit the simple fact that Windows trusts signed drivers. The attacker doesn’t need to compromise the kernel; they just need to load a driver that already has a vulnerability. In this case, `PoisonX.sys` itself is the vulnerable driver. In other variants of the same campaign, attackers switched to abusing legitimate signed drivers like `EneIo64.sys` (ASUSTeK) and `procexp.sys` (Microsoft).
Step‑by‑Step: Hardening Against BYOVD
1. Implement Windows Defender Application Control (WDAC) – WDAC is the single most effective mitigation. It allows you to create an allow‑list of only the drivers you trust. A block‑list alone is insufficient because attackers constantly rotate vulnerable drivers.
– Generate a baseline policy:
$Rules = New-CIPolicyRule -DriverFilePathRule -Path C:\Windows\System32\drivers\ New-CIPolicy -FilePath C:\WDAC\BaselinePolicy.xml -Rules $Rules
– Convert the XML to binary and deploy:
ConvertFrom-CIPolicy -XmlFilePath C:\WDAC\BaselinePolicy.xml ` -BinaryFilePath C:\WDAC\BaselinePolicy.bin
– Apply the policy using Group Policy or the following command:
Invoke-CimMethod -ClassName Win32_WDAC -MethodName Set -Arguments @{
PolicyBinary = [System.IO.File]::ReadAllBytes('C:\WDAC\BaselinePolicy.bin')
}
2. Enable Hypervisor‑Protected Code Integrity (HVCI) – Also known as Memory Integrity, HVCI runs kernel mode code in a virtualized security context, making it significantly harder for an attacker to exploit a driver after it is loaded.
– Check if HVCI is running:
msinfo32.exe
Look for “Hypervisor‑Protected Code Integrity” near the bottom.
– Enable via Registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" ` -1ame "EnableVirtualizationBasedSecurity" -Value 1 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" ` -1ame "Enabled" -Value 1
3. Use PowerShell to Hunt for Suspicious Drivers – Regularly scan your environment for drivers that are known to be abused. This script queries all loaded drivers, checks their signatures, and flags any that match a list of known vulnerable hashes or names:
$KnownBadDrivers = @('PoisonX.sys', 'EneIo64.sys', 'procexp.sys')
Get-WmiObject Win32_SystemDriver | ForEach-Object {
$DriverName = Split-Path $_.PathName -Leaf
if ($KnownBadDrivers -contains $DriverName) {
Write-Host "ALERT: Known bad driver loaded: $DriverName" -ForegroundColor Red
Write-Host "Service: $($_.Name), State: $($_.State)"
}
}
3. The RAT Within: PoisonX RAT (10FXRAT) Analysis
Once the driver has cleared the path, the attacker deploys the `10FXRAT` remote access tool. This RAT is not a simple backdoor; it is a modular, command‑and‑control enabled implant that communicates over HTTP/S and can execute a wide range of commands including file exfiltration, lateral movement, and persistence installation.
The RAT’s components include:
– `usoclient64.exe` – the main loader/RAT executable.
– `dnssd.dll` – a helper library for C2 communication.
– `runtime.bin` – an encrypted payload blob containing the RAT’s configuration and plugins.
Network Detection
The RAT uses HTTP POST requests to send system information and receive commands. Look for outbound HTTP traffic to destinations with low reputation or unusual URI patterns. A YARA rule to detect the RAT’s loader:
rule PoisonX_Loader {
meta:
description = "Detects PoisonX RAT loader binary"
strings:
$a = "usoclient64.exe" wide
$b = "dnssd.dll" wide
$c = { 8B 4D 08 89 0D ?? ?? ?? ?? 8B 45 0C }
condition:
uint16(0) == 0x5A4D and all of them
}
4. Incident Response Playbook: When You Suspect a BYOVD Attack
If you identify a system that may have been compromised via a BYOVD technique like PoisonX, follow this playbook to contain and investigate.
1. Immediately isolate the system from the network.
2. Capture a memory snapshot for later analysis:
.\DumpIt.exe /accepteula
Or use the built‑in `comsvcs.dll`:
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %PID% C:\temp\memory.dmp full
3. Collect the list of loaded drivers before they can be unloaded or hidden:
driverquery.exe /v /fo csv > suspicious_drivers.csv
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} |
Export-Csv -Path driver_events.csv
4. Check for the presence of the PoisonX device interface using the `WinObj` tool mentioned above.
5. Submit any unknown driver files (`.sys`) to sandboxes like Hybrid Analysis or VirusTotal. Look for the IOCTL control code `0x22E010` in the driver’s import or export tables.
6. Block all outbound traffic from the system except to authorized forensic collection points. Use `netsh` to temporarily enforce a block:
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
5. Hardening the Cloud: Defending EDR and AV from Kernel‑Level Attacks
The PoisonX campaign targets on‑premises endpoints, but the same BYOVD principles can be applied to cloud‑hosted virtual machines (VMs) running Windows. In fact, many security tools in cloud environments run with reduced kernel visibility, making them even more vulnerable to driver‑based attacks.
API Security for EDR Telemetry
Modern EDRs rely on kernel callbacks to monitor process creation, file writes, and registry changes. A driver like `PoisonX.sys` can, with the right IOCTL, deregister those callbacks from the kernel’s `PsSetCreateProcessNotifyRoutineEx` list, effectively blinding the EDR. This is a form of “EDR killing” that operates entirely in Ring 0.
Cloud Hardening Steps
– Use Azure Policy or AWS Systems Manager to enforce the same WDAC and HVCI policies described above across all Windows VMs.
– Employ virtualization‑based security features available in major cloud providers. For example, Azure’s “Trusted Launch” feature enables VBS and HVCI by default.
– Monitor CloudTrail or Azure Activity Logs for events indicating that a driver was loaded on a sensitive compute instance. Correlate those events with subsequent security product failures.
What Undercode Say:
– Key Takeaway 1 – The PoisonX driver is a stark reminder that signed does not mean safe. Attackers are moving away from creating their own malicious drivers and instead weaponizing legitimate, signed drivers that are already trusted by Windows.
– Key Takeaway 2 – BYOVD attacks are not theoretical; they are actively used in espionage and ransomware campaigns. The only reliable defense is a combination of WDAC allow‑listing, HVCI, and continuous monitoring of driver load events.
Expected Output:
The PoisonX campaign demonstrates a sophisticated yet straightforward attack chain: a phishing email, a dropper, a signed vulnerable driver, and a RAT. The use of a signed kernel driver allows the attacker to bypass most user‑mode detection mechanisms and directly manipulate the kernel. Defenders must shift from reactive signature‑based detection to proactive allow‑listing of drivers and enforce virtualization‑based security features. Without these measures, any system can be reduced to a sitting duck by a single malicious driver file.
Prediction:
– -1 More Driver‑Based Attacks Across All Sectors – The PoisonX campaign is not an isolated incident. In May 2026, the same attackers shifted to using two other legitimate drivers (`EneIo64.sys` and `procexp.sys`). As offensive tooling becomes commoditized, we will see a dramatic increase in BYOVD attacks targeting not just Japan, but organizations worldwide.
– -1 Security Vendor Response Will Lag – EDR vendors will continue to rely on blacklisting specific drivers, a whack‑a‑mole game that attackers can win by simply switching to a different vulnerable driver. Without industry‑wide adoption of WDAC and HVCI, most organizations will remain vulnerable.
– +1 Regulatory Push for Kernel Hardening – Expect regulations (e.g., new NIST guidelines or EU cyber directives) to explicitly require memory integrity and driver allow‑listing on all Windows systems handling sensitive data. This will force even the most conservative enterprises to finally adopt these long‑available security features.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Jamie Williams](https://www.linkedin.com/posts/jamie-williams-108369190_maldevs-dont-want-you-to-know-about-this-share-7469745579649064961-727G/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
