• 5 min read
Living Off The Land Drivers
Introduction to the BYOVD threat - how attackers abuse vulnerable drivers and why defenders need to pay attention.
loldrivers byovd drivers kernel introduction
Originally published on Medium
Read the full article: Living Off The Land Drivers
The BYOVD Problem
Bring Your Own Vulnerable Driver (BYOVD) attacks are increasingly common. Attackers:
- Obtain a legitimately signed driver with vulnerabilities
- Load it on the target system
- Exploit the vulnerability for kernel access
- Disable security tools or gain persistence
Why It Works
These drivers are:
- Legitimately signed - Pass driver signing enforcement
- From trusted vendors - Often from well-known companies
- Already on blocklists? - Usually not
Real-World Impact
BYOVD techniques have been used by:
- Ransomware operators
- APT groups
- Red teams
To:
- Disable EDR
- Gain kernel access
- Establish rootkits
The Solution
We need:
- Centralized driver tracking
- Hash-based detection
- Community collaboration
That’s why we’re building LOLDrivers.
What’s Next
Stay tuned for:
- Driver database launch
- Detection rule release
- Community contribution guidelines
Read the full introduction: Living Off The Land Drivers
Related Modules
Active
LOLDrivers
Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.
drivers byovd detection windows +2