A recent technical breakthrough in cybersecurity reveals a significant elevation in the capabilities of the Bring Your Own Vulnerable Driver (BYOVD) exploitation technique.
The research, presented by cybersecurity expert @Two Seven One Three, demonstrates how leveraging Windows symbolic links in conjunction with drivers possessing file-writing abilities can bypass critical security measures, including Endpoint Detection and Response (EDR) systems.
This approach has the potential to redefine how attackers target system defenses.
New Attack Method Combines BYOVD with Windows Symbolic Links
The BYOVD technique involves exploiting legitimate but vulnerable drivers to execute malicious code with elevated privileges while circumventing security protocols.
Historically, this method has proven effective for various threat groups, with examples such as the BlackByte ransomware gang exploiting a driver in MSI Afterburner’s RTCore64.sys to bypass over 1,000 security mechanisms.
However, the primary limitation of BYOVD has been the dependency on a narrowing pool of exploitable drivers due to extensive blocklist updates by Microsoft.
The integration of symbolic links into the BYOVD method mitigates this challenge, allowing attackers to exploit a broader range of drivers that possess file-writing capabilities.
Through advanced file manipulation techniques, attackers can elevate privileges, disable critical system components, and bypass endpoint monitoring mechanisms.
A practical demonstration of this technique highlights its ability to disable Windows Defender on Windows 11.
Exploiting EDR Weaknesses with Symbolic Links
At the core of this exploit lies the interplay between drivers’ file-writing functions and symbolic links.
Typically, EDR systems rely on Minifilters to monitor and log activity across processes and files.
These Minifilters operate at the kernel level, ensuring comprehensive data collection.
The attack capitalizes on vulnerabilities in this model by targeting either the Minifilter driver itself or the user-mode service responsible for log processing.
In the newly proposed method, symbolic links are instrumental in redirecting file operations to unintended targets.
For instance, the demonstration illustrates how a symbolic link can redirect a driver’s logging operation to overwrite the core executable of Windows Defender MsMpEng.exe.
Process Monitor (procmon24), which operates at the kernel level, is utilized to execute this strategy.
By tweaking Windows’ ServiceGroupOrder registry key, attackers prioritize the loading of the exploited driver over Defender’s service during boot, enabling the overwrite.
This approach significantly expands the potential pool of exploitable drivers, as the focus shifts from known vulnerabilities to legitimate functions such as file writing.
The consequences are worrisome: attackers no longer need to rely solely on outdated or unlisted drivers, increasing the attack surface for EDR systems.
To counter this evolving threat, cybersecurity professionals must reassess existing defenses.
Developers of drivers with file-writing capabilities should implement checks to verify symbolic link integrity, preventing malicious redirections.
Enhanced monitoring and validation at both the kernel and user-mode levels may also mitigate these risks.
Additionally, organizations must prioritize updating detection mechanisms to identify symbolic link-based exploits.
The Zero Salarium research underscores the dynamic nature of cyber threats and the urgent need for proactive security measures.
While Microsoft’s blocklist updates have previously curtailed BYOVD-related exploits, this novel combination of techniques necessitates a paradigm shift in protecting drivers and endpoint systems against emerging vulnerabilities.