EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses

VULNERABILITIES & THREATS APPLICATION SECURITY CYBER RISK THREAT INTELLIGENCE NEWS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses Stopping EDR killers, which employ bring-your-own-vulnerable-driver (BYOVD) attack techniques, is difficult, but not impossible. Rob Wright,Senior News Director,Dark Reading April 14, 2026 8 Min Read SOURCE: ARTEMISDIANA VIA ALAMY STOCK PHOTO Part 2 in a series on BYOVD threats. You can read Part 1 here. EDR killers, once a rarity in the threat landscape, are now linchpins of perplexing ransomware attacks, leaving enterprise security teams scrambling for answers. Over the past year, security researchers have observed an expansion of the ecosystem around these tools, which can disable endpoint detection and response (EDR) platforms and other threat detection products in a targeted environment. EDR killers typically accomplish this through a technique known as bring-your-own-vulnerable-driver (BYOVD), which abuses legitimate software drivers with Windows kernel access to terminate security processes. The growth of BYOVD and the commercialization of EDR killers, which have become a favorite among ransomware groups, has alarmed vendors and researchers and put Microsoft between a rock and a hard place. While only a small number of vulnerable drivers are actually abused by these EDR killers, blocking them can cause applications and Windows systems to crash. Related:Privilege Elevation Dominates Massive Microsoft Patch Update Security teams face a precarious situation: ransomware actors can defeat core components of their defenses without warning and shut down their networks, but preemptively blocking these vulnerable drivers could also cause significant disruptions.  Peter Morgan, vice president of research at Halcyon, tells Dark Reading that vulnerable drivers have created yet another lopsided arms race for cybersecurity. Instead of investing time and money into finding vulnerabilities in EDR platforms to hack them directly, threat actors can easily acquire one of many EDR killers.  Loading... "For the immediate future, I think the kernel driver space is going to be the sweet spot for them," Morgan says. Few Vulnerable Drivers, Many EDR Killers In a recent report, ESET researchers documented nearly 90 unique EDR killers, most of which use the BYOVD technique (some newer, alternative EDR killers use scripts or anti-rootkit technology instead). The tools are readily available from underground marketplaces and public proof-of-concept (PoC) exploits, and have become "plug-and-play" components. Jakub Souček, senior malware researcher at ESET and author of the report, tells Dark Reading there's a "huge market" for EDR killers, and it's fairly easy to explain to ransomware affiliates how to use the tools to temporarily disable defenses before deploying encryptors. "Even if it's only a few hours of a window, it may still be enough for them to encrypt a serious part of the network," Souček says. The loading screen (left) and GUI of an EDR killer called "Susanoo." Source: ESET On the bright side, the threat landscape isn't awash with thousands of malicious drivers, because exploiting them for EDR killers requires some expertise; in fact, ESET researchers found just 35 vulnerable drivers being abused among the many EDR killers. Unfortunately, other factors make it difficult for security teams to identify and block these drivers.  Related:'BlueHammer' Windows Zero-Day Exploit Signals Microsoft Bug Disclosure Issues As Souček noted in his blog post, threat actors created more than 2,500 distinct variants of a legacy driver called Truesight.sys. And yet, all of them remain valid due to a weakness in the digital signature validation process.  Threat actors can change a few bytes in the binary of a vulnerable driver to create new hashes without jeopardizing the validity of its original digital signature, Souček says. So instead of looking for one or two hashes for the vulnerable Truesight.sys driver, security systems and driver block lists must account for 2,500 hashes — all of which are signed. And even if digital certificates are revoked, Windows will still load the drivers because of a gap in Microsoft's Driver Signature Enforcement. Organizations can implement Microsoft's Driver Blocklist to prevent BYOVD attacks, but it has significant limitations as well. Keeping Attackers Out of the Kernel The vast array of unique hashes presents problems for organizations that rely on block lists to mitigate BYOVD threats. While there are third-party lists, such as the open source project Living Off the Land Drivers or LOLDrivers, that are more extensive and frequently updated than Microsoft's list, security teams still face an uphill battle in terms of identifying and mitigating threats. Related:Fortinet Issues Emergency Patch for FortiClient Zero-Day Michael Haag, co-creator of LOLDrivers and threat researcher at cybersecurity startup MagicSword, says part of the problem is that many organizations don't understand the risks posed by vulnerable drivers, and creating an inventory of threats is extremely difficult because it's not obvious which drivers are good or bad. Additionally, he says, companies fear that blocking drivers could crash their networks. Security teams should implement a Windows feature known as hypervisor-protected code integrity (HVCI) or memory integrity, which enforces Microsoft's blocklist (HVCI was enabled by default starting with Windows 11 version 22H2, released in 2022). But as Haag points out, some drivers load in Windows despite HVCI being enabled, which are the most evasive threats that LOLDrivers tracks. Currently, there are 430 vulnerable drivers capable that bypass HVCI, or about 21% of all drivers that the project tracks. Even if the security team properly curates and maintains a blocklist that supplements Microsoft's list with LOLDrivers, there's more work to be done because, as experts note, blocklists are entirely reactive measures. Organizations can enable anti-tampering measures on their EDR platforms and Windows Defender, but attackers with kernel access and administrator privileges can still bypass them. Therefore, experts say, security teams should focus on preventing attackers from accessing the Windows kernel. Organizations need to build a layered defense that monitors for compromised credentials and escalation of privileges, which are key ingredients for a successful BYOVD attack. "If the attackers don't have sufficient admin privileges in the intrusion, then they wouldn't be able to load any drivers at all, whether they're legitimate or not," Souček says.  However, attackers are using myriad tools and exploiting common issues with security posture to quietly obtain credentials and elevate privileges. "Since they're doing this on a daily basis, they unfortunately have gotten pretty good at it," Souček adds. "If your security is bad, the attack may take 20 minutes. If your security is good, and the attacker is persistent, then you may be fighting them for a month — but that's a pretty good sign for you." Additionally, some threat detection vendors have tailored their platforms to specifically monitor and mitigate BYOVD attacks. For example, Halcyon last year introduced Kernel Guard Protection, a new feature that provides real-time monitoring for suspicious kernel activity, such as a new driver loading outside of a boot sequence. "If a kernel driver shows up on Friday at 3 p.m., and it's never been seen before in the tenant, then that's interesting," Morgan says. "We're never going to be perfect at everything, but identifying these patterns that attackers tend to use? That seems a lot more doable." Microsoft Takes Action to Strengthen Driver Security Microsoft has been under some pressure to bolster defenses against vulnerable drivers. Last month, the software giant announced plans to remove trust for cross-signed kernel drivers starting this month, which experts say is an important step toward reducing driver-based attacks. Microsoft deprecated its cross-signed root certificate program in 2021, effectively prohibiting third-party digital certificates for kernel-mode code signing. Instead, drivers must be signed through Microsoft's own Windows Hardware Compatibility Program (WHCP).  However, Microsoft for years extended trust to some older drivers that had been signed via the deprecated cross-signed root program. But that will no longer be the case; the new policy will begin rolling out with this month's Patch Tuesday update for systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025. "The signing program, administered by third-party certificate authorities, required driver authors to store and protect the private keys of the certificate, which led to abuse and credential theft that put our customers and their platforms at risk," Peter Waxman, group program manager at Microsoft, wrote in a blog post announcing the change.  It's unclear how much BYOVD threats factored into Microsoft's decision to remove trust for cross-signed drivers. Dark Reading contacted Microsoft for further comment, but the company declined.  LOLDrivers found the vast majority of vulnerable drivers it tracks are signed through the cross-signing root program. Source: MagicSword Regardless, the move will have a significant impact on BYOVD attacks, as LOLDrivers estimates that more than 81% of all samples it tracks are cross-signed by third-party certificate authorities. The effects of the policy change will take time to shake out, as the trust policy will begin in what Microsoft calls "evaluation mode" to ensure there are no compatibility issues. But evaluation mode also carries a significant drawback. Windows will monitor driver loading activity for 100 hours across three boot cycles for Windows 11 and two for Windows Server 2025 before enforcement begins; if a single non-compliant driver fails to load during that time, evaluation mode will reset and will begin auditing activity for another 100 hours. This could potentially force an organization to "remain in evaluation mode indefinitely," MagicSword researchers said in a recent blog post. In the meantime, threat analysts continue to look for ways to disrupt threat actors' ability to find a vulnerable driver, package it in an EDR killer, and then sell different versions of the tool over and over again. While progress has been made in Windows security and awareness of BYOVD threats has grown, the EDR-killer market continues to expand, driven by new techniques and variations.   "We want to cut down the amount of time that a driver works for, so that the pattern of selling it stops working," Morgan says. "That's a much better situation." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications 2026 CISO AI Risk Report QKS AI Maturity Matrix KuppingerCole Business Application Risk Management Leadership Compass Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like VULNERABILITIES & THREATS Cursor Issue Paves Way for Credential-Stealing Attacks by Elizabeth Montalbano, Contributing Writer NOV 17, 2025 VULNERABILITIES & THREATS Cisco's Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS by Alexander Culafi SEP 25, 2025 VULNERABILITIES & THREATS Nearly 2,000 MCP Servers Possess No Security Whatsoever by Nate Nelson, Contributing Writer JUL 18, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE