BYOVD attacks, prevention, and Core Isolation.
The BYOVD attack involves introducing a digitally signed and trusted vulnerable driver into the kernel and exploiting it to gain kernel-level access.
For simplicity, the protective features can be classified as:
1. Prevention: The installation of the driver is prevented before it can be loaded.
2. Blocking: Loading of the driver is blocked.
BLOCKING
To avoid misunderstanding, I do not mean that mentioning "Blocking" in the second point makes it less important.
Simply, it happens later in the infection stage.
It is worth mentioning that such driver blocking features as Memory Integrity and Microsoft Vulnerable Driver Blocklist (both included in Core Isolation) are the most robust ones (hardest to bypass). Memory Integrity (MI) is protected by VBS. Microsoft Vulnerable Driver Blocklist (MVDB) is protected by VBS when MI is enabled. If not, then MVDB depends on standard kernel-mode code integrity mechanisms (less robust than VBS).
Another feature that can be hardened by VBS is App Control for Businesses (previously known as WDAC). It has the ability to prevent driver installation (User Mode Code Integrity) and block driver loading.
Properly configured WDAC is a strong protection against BYOVD attacks. Many enterprises run WDAC without MI enabled, due to compatibility problems. However, WDAC with enabled MI better mitigates kernel exploits.
PREVENTION
Enterprises use many preventive features to fight BYOVD attacks. In the case of Microsoft Defender (MD):
1. Multifactor authentication.
2. Network monitoring.
3. Advanced Hunting queries.
4. MD ASR rules (enabling all rules are recommended).
5. Web/email protection, etc.
All those features are important.
Home environment with MD.
At home, the WDAC can be replaced by Smart App Control.
Core Isolation settings should be enabled.
MD ASR rules should be enabled (by using PowerShell or a dedicated application).
Solid web protection and a hardened firewall are also highly recommended.
Differences between "Microsoft Vulnerable Driver Blocklist" (MVDB) and ASR rule "Block abuse of exploited vulnerable signed drivers".
The MVDB is updated with each new major release of Windows, typically 1-2 times per year. This block list can miss some vulnerable drivers included in the WDAC blocklist. The most current MVDB blocklist is also available as an optional update.
A better updated driver blocklist is included in the ASR rule. This blocklist is triggered only when malware tries to install/drop the driver file to disk. It does not block already installed drivers. Although it can prevent most BYOVD attacks, it is not as robust as MVDB. For example:
The BYOVD attack involves introducing a digitally signed and trusted vulnerable driver into the kernel and exploiting it to gain kernel-level access.
For simplicity, the protective features can be classified as:
1. Prevention: The installation of the driver is prevented before it can be loaded.
2. Blocking: Loading of the driver is blocked.
BLOCKING
To avoid misunderstanding, I do not mean that mentioning "Blocking" in the second point makes it less important.
Simply, it happens later in the infection stage.
It is worth mentioning that such driver blocking features as Memory Integrity and Microsoft Vulnerable Driver Blocklist (both included in Core Isolation) are the most robust ones (hardest to bypass). Memory Integrity (MI) is protected by VBS. Microsoft Vulnerable Driver Blocklist (MVDB) is protected by VBS when MI is enabled. If not, then MVDB depends on standard kernel-mode code integrity mechanisms (less robust than VBS).
Another feature that can be hardened by VBS is App Control for Businesses (previously known as WDAC). It has the ability to prevent driver installation (User Mode Code Integrity) and block driver loading.
Properly configured WDAC is a strong protection against BYOVD attacks. Many enterprises run WDAC without MI enabled, due to compatibility problems. However, WDAC with enabled MI better mitigates kernel exploits.
PREVENTION
Enterprises use many preventive features to fight BYOVD attacks. In the case of Microsoft Defender (MD):
1. Multifactor authentication.
2. Network monitoring.
3. Advanced Hunting queries.
4. MD ASR rules (enabling all rules are recommended).
5. Web/email protection, etc.
All those features are important.
Home environment with MD.
At home, the WDAC can be replaced by Smart App Control.
Core Isolation settings should be enabled.
MD ASR rules should be enabled (by using PowerShell or a dedicated application).
Solid web protection and a hardened firewall are also highly recommended.
Differences between "Microsoft Vulnerable Driver Blocklist" (MVDB) and ASR rule "Block abuse of exploited vulnerable signed drivers".
The MVDB is updated with each new major release of Windows, typically 1-2 times per year. This block list can miss some vulnerable drivers included in the WDAC blocklist. The most current MVDB blocklist is also available as an optional update.
A better updated driver blocklist is included in the ASR rule. This blocklist is triggered only when malware tries to install/drop the driver file to disk. It does not block already installed drivers. Although it can prevent most BYOVD attacks, it is not as robust as MVDB. For example:
- UEFI bootkits can bypass it and install vulnerable drivers.
- ASR rules depend on Microsoft Defender and may fail if it is tampered with.
- ASR rules can be deactivated by user-mode processes.
Last edited:
