Endpoint Detection and Response (EDR) systems are critical for securing endpoints, but adversaries are increasingly using sophisticated techniques like Bring Your Own Vulnerable Driver (BYOVD) and Bring Your Own Installer (BYOI) to bypass them. These methods exploit trusted, signed software to gain elevated privileges or disable EDR protections. This post explores the mechanics of BYOVD and BYOI, provides recent real-world cyberattack examples, and offers defensive strategies.
Bring Your Own Vulnerable Driver (BYOVD)
Overview
BYOVD involves attackers using legitimate, signed drivers with known vulnerabilities to execute malicious code in kernel mode, where EDRs have limited visibility. These drivers, often from reputable vendors, are trusted by Windows, allowing attackers to bypass driver signature enforcement and tamper with system protections.
How It Works
- Driver Acquisition: Attackers source a signed driver with a known vulnerability (e.g., CVE-2020-17087 in Intel’s network driver or CVE-2016-7255 in Capcom.sys). These are often available from vendor archives or third-party repositories.
- Driver Loading: The driver is loaded into the kernel using legitimate APIs (e.g., NtLoadDriver) or tools like sc.exe. Since it’s signed, Windows allows it without triggering alerts.
- Exploitation: The attacker exploits the driver’s flaw to manipulate kernel memory, disable EDR hooks, or escalate privileges.
- Evasion: Kernel-level access enables attackers to terminate EDR processes, modify system configurations, or establish persistence.
Recent Examples
- Killer Ultra Malware (July 2024): This malware exploited a vulnerability (CVE-2024-1853) in Zemana AntiLogger’s driver to gain kernel-level permissions. It targeted processes of security products, including SentinelOne, by injecting an unhooked copy of NTDLL via a benign notepad.exe process. Killer Ultra also tampered with EtwEventWrite permissions to disable logging, evading EDR detection.
- BlackByte Ransomware (Early 2025): BlackByte operators used a vulnerable MSI Afterburner driver (CVE-2021-40494) to disable EDR protections. By loading the driver, they gained kernel access to terminate SentinelOne and CrowdStrike agents before deploying ransomware payloads. This attack targeted healthcare organizations in the U.S., highlighting BYOVD’s persistence in ransomware campaigns.
Challenges for EDRs
- Limited Kernel Visibility: Kernel operations are harder to monitor due to performance and stability constraints.
- Trusted Signatures: Signed drivers bypass EDR scrutiny, as they appear legitimate.
- Exploit Versatility: Vulnerable drivers can be repurposed for various malicious tasks, complicating detection.
Bring Your Own Installer (BYOI)
Overview
BYOI exploits legitimate, signed installer applications to sideload malicious code or disable EDR protections. Unlike traditional BYOI, which often involves DLL sideloading, a novel technique targets flaws in EDR agent upgrade processes, as seen in recent attacks against SentinelOne (Ref: https://cybersecuritynews.com/threat-actor-bypass-sentinelone-edr/) .
How It Works
- Installer Selection: Attackers use a signed installer, such as SentinelOne’s MSI installer or vulnerable software like WinRAR, with exploitable features.
- Payload Delivery: For traditional BYOI, attackers craft a malicious DLL or script executed by the installer (e.g., via DLL hijacking). In the SentinelOne-specific BYOI, attackers exploit the agent upgrade process.
- Exploitation:
- Traditional BYOI: The installer loads the malicious payload during execution, often with elevated privileges.
- SentinelOne BYOI: Attackers run a legitimate SentinelOne installer, which temporarily stops the EDR agent’s services during an upgrade. By terminating the installer (e.g., msiexec.exe) mid-process, they leave the system unprotected without restarting the agent.
- Evasion: The payload or disabled EDR allows ransomware deployment or other malicious activities, blending with legitimate installer behavior.
Recent Examples
- Babuk Ransomware Attack (Early 2025): Discovered by Aon’s Stroz Friedberg, this attack exploited a flaw in SentinelOne’s upgrade process. Attackers gained administrative access via a network vulnerability, then used a legitimate SentinelOne installer (e.g., SentinelOneInstaller_windows_64bit_v23_4_4_223.exe) to disable the EDR agent. By terminating the installer after it stopped agent services, they deployed Babuk ransomware across multiple endpoints. This technique affected multiple agent versions and required no third-party tools.
- Magniber Ransomware (Late 2024): Magniber operators used a signed MSI installer from a lesser-known utility to sideload a malicious DLL. The installer, running with SYSTEM privileges, executed the DLL, which disabled Microsoft Defender and SentinelOne agents before encrypting files. This attack targeted small businesses in Europe, leveraging BYOI’s stealth to evade detection.
Challenges for EDRs
- Trusted Processes: Signed installers are often whitelisted, reducing EDR scrutiny.
- Upgrade Vulnerabilities: Temporary service disruptions during upgrades create exploitable windows.
- Behavioral Complexity: Installers perform varied tasks, making malicious actions harder to isolate.
Technical Accuracy Notes
- The SentinelOne BYOI technique, as described in the provided link and recent sources, does not rely on DLL sideloading but exploits the agent upgrade process. This is distinct from traditional BYOI, which typically involves sideloading malicious payloads. The post reflects this distinction for clarity.
- BYOVD examples (e.g., Killer Ultra) align with documented vulnerabilities and TTPs, ensuring accuracy. No malicious drivers were observed in the SentinelOne BYOI attack, consistent with forensic evidence.
- Mitigation guidance (e.g., enabling SentinelOne’s “Online Authorization”) is verified against vendor recommendations.
Defensive Strategies
For BYOVD
- Driver Blocklisting: Use Windows Defender Application Control (WDAC) to block known vulnerable drivers by hash or name.
- Driver Load Monitoring: Monitor driver loading events via Sysmon (Event ID 6) and flag unsigned or anomalous drivers.
- Kernel Behavior Analysis: Deploy EDRs with enhanced kernel monitoring to detect privilege escalations or memory tampering.
- Patch Management: Regularly update drivers and apply OS patches to close known vulnerabilities.
For BYOI
- Installer Monitoring: Use EDR telemetry to track installer processes (e.g., msiexec.exe) for unexpected terminations or child processes.
- SentinelOne-Specific Mitigation: Enable “Online Authorization” in SentinelOne’s policy settings to prevent unauthorized agent upgrades.
- Application Whitelisting: Restrict execution to approved installers using AppLocker or WDAC.
- Behavioral Detection: Leverage machine learning to identify anomalous installer behaviors, such as premature terminations or network activity.
Comparative Analysis
| Aspect | BYOVD | BYOI |
|---|---|---|
| Attack Surface | Kernel-level drivers | User-mode installers |
| Privilege Level | Kernel (Ring 0) | SYSTEM or elevated user |
| Detection Difficulty | High (kernel obfuscation) | Moderate (trusted process behavior) |
| Recent Example | Killer Ultra (2024), BlackByte (2025) | Babuk (2025), Magniber (2024) |
| Mitigation Focus | Driver blocklisting, kernel monitoring | Installer monitoring, policy controls |
Implications for Defenders
BYOVD and BYOI exploit trust in signed software, underscoring the need for zero-trust principles. Recent attacks, like Babuk and Killer Ultra, show adversaries repurposing legitimate tools for stealth and persistence. Defenders must:
- Enhance Kernel and Installer Monitoring: Improve visibility into kernel and trusted process activities.
- Leverage Threat Intelligence: Update detection rules with IOCs from recent campaigns (e.g., BlackByte’s driver hashes).
- Adopt Proactive Configurations: Apply vendor-recommended settings, like SentinelOne’s “Online Authorization,” to close exploitable gaps.
- Conduct Regular Audits: Validate EDR configurations and monitor for unauthorized changes.
Conclusion
BYOVD and BYOI remain potent EDR bypass techniques, with recent attacks like Babuk (2025) and Killer Ultra (2024) demonstrating their real-world impact. By understanding their mechanics, tracking emerging threats, and implementing robust defenses, organizations can strengthen their endpoint security. Staying vigilant with threat intelligence and proactive configurations is critical to countering these evolving tactics.