PART 2 in a series on BYOVD threats shows EDR killers moving from rarity to a central driver of ransomware campaigns, with security teams grappling to respond. Over the past year, researchers have documented an expansion of the ecosystem around BYOVD tools that disable EDR and other threat detectors, with EDR killers typically using this technique to abuse legitimate drivers to gain Windows kernel access.
In a recent report, ESET researchers documented nearly 90 unique EDR killers, and noted that only a small number of vulnerable drivers are actually exploited, despite the widespread availability of PoCs and underground marketplaces; 35 vulnerable drivers were found being abused among the killers.
The landscape is further complicated by more than 2,500 distinct variants of a legacy driver called Truesight[.]sys, all still valid due to weaknesses in digital signature validation, a factor that drives the need for broader driver blacklists and layered defences.
Microsoft has started removing trust for cross-signed kernel drivers, with evaluation mode delaying enforcement and potentially keeping organisations in limbo; according to ESET researchers, 430 vulnerable drivers can bypass HVCI, about 21% of tracked drivers, underscoring the challenge of keeping attackers out of the kernel.