54 EDR Killers Use BYOVD to Exploit 34 Signed Vulnerable Drivers and Disable Security
Summary
A recent analysis has uncovered that 54 EDR killer programs are exploiting a technique called BYOVD (Bring Your Own Vulnerable Driver), utilizing 34 signed vulnerable drivers to bypass security measures. These EDR killers are frequently employed by ransomware attackers to disable security software before deploying their malicious payloads.
IFF Assessment
The proliferation of EDR killers utilizing BYOVD techniques directly undermines defensive security tools, making it easier for attackers to achieve their objectives.
Defender Context
Defenders need to be aware of the BYOVD technique and the increasing sophistication of EDR killers that leverage it. Monitoring for the use of known vulnerable drivers and implementing stricter driver signing policies can help mitigate this threat.