A new method of exploiting the “Bring Your Own Vulnerable Driver” (BYOVD) technique has emerged, combining it with Windows symbolic links to elevate its effectiveness.

This innovative approach exploits drivers with file-writing capabilities, bypassing the need to rely solely on vulnerable drivers listed in Microsoft’s blocklist. 

The BYOVD technique involves attackers leveraging legitimate but vulnerable drivers to gain kernel-level access, bypassing security measures like Endpoint Detection and Response (EDR) tools. 

Historically, this method required identifying exploitable drivers not yet included in Microsoft’s blocklist. However, as Microsoft continuously updates the blocklist, the pool of exploitable drivers has diminished. 

This limitation has driven attackers to innovate by combining BYOVD with symbolic link exploitation.

Symbolic links in Windows act as advanced shortcuts that redirect file or directory access to another location. Attackers exploit this mechanism by linking a driver’s file-writing output to critical system files, such as EDR service executables.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

This approach allows attackers to overwrite or destroy these files without directly terminating the associated processes.

Exploiting EDR Services

In this proof-of-concept attack, Process Monitor’s driver is exploited to disable Windows Defender on Windows 11 (Version 24H2).

Identify Drivers with File-Writing Capabilities: Attackers search for drivers that invoke APIs like ZwWriteFile during their operations.

Reverse Engineer Target Drivers: Debugging or reverse engineering is used to identify file paths written by these drivers.

Register a Kernel Service: The attacker registers a service for the driver in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. 

By assigning the service to a high-priority group (e.g., “FSFilter Activity Monitor”), it ensures the driver loads before EDR services.

Create a Symbolic Link: Using the mklink command, a symbolic link is created from the driver’s output file to the target EDR service executable.

Reboot System: Upon reboot, the driver overwrites the linked EDR executable file, effectively disabling it.

“The Antimalware Service Executable file has been destroyed because PROCMON24 has overwritten its contents. Checking in the Service Manager, WinDefend no longer has the “Running” status,” reports Zero Salarium.

This attack method significantly expands the scope of BYOVD by enabling the exploitation of any driver with file-writing capabilities, not just those with known vulnerabilities. Since file writing is a legitimate driver function, identifying and blocking all potential drivers becomes impractical.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar