Who’s Defending Microsoft Defender? Breaking Down Modern BYOVD Attacks
Recently, the Inversion6 Incident Response team has been tracking an uptick in cyberattacks that hijack vulnerable Windows drivers to crash endpoint detection and response (EDR) systems, most notably Microsoft Defender.
These are known as Bring Your Own Vulnerable Driver (BYOVD) attacks and they don’t rely on fancy exploits or cutting edge, adversarial AI. Instead, they target files Windows already trusts, repurposing them to crash your endpoint protection tools with relative ease. After that, they can cause all sorts of trouble without being detected.
We’ve seen this up close in several recent cases. Here’s how it happens, how to spot it and what to do if you’ve already been hit with a BYOVD attack.
When Trust Turns Against You
Whenever Windows loads a driver, it first checks whether it’s “digitally signed.” A signed driver is one that originates from a trusted source, hasn’t been modified, and is therefore allowed to interact directly with the operating system kernel - the most privileged level of access.
As operating systems have evolved, it’s become much harder to sneak a malicious driver into the system. But attackers adapt quickly, exploiting the process by piggybacking malicious code on vulnerable drivers that are already signed.
Sometimes they target old drivers that are often no longer in use. Sometimes they find a small flaw that was never patched. Either way, Windows will still allow them through the door as long as the drivers are signed (and that code signature hasn’t been revoked).
Many of the recent attacks we’ve seen have started with a driver called RWDRV.sys from ThrottleStop. This file is legitimate, code-signed and trusted. However, hackers are using it to load a second driver - often HLPDRV.sys - which contains the malicious payload.
This second driver is what is used to crash or disable various EDR systems, from Microsoft Defender to CrowdStrike to SentinelOne and more.
How it Works
For a BYOVD attack to work, an attacker must already have administrative access to your device. Without administrative privileges, they can’t install drivers or load malicious services - so gaining that access is always step one, often through phishing, remote access exploitation or some other malicious software delivery. The vulnerable driver is simply the method they use to remove endpoint protections and solidify their control. This is also the step that clears the path for ransomware or data exfiltration.
While Akira ransomware has been publicly associated with the recent strikes on EDR, including Microsoft Defender, BYOVD strikes are not tied to one specific threat actor. Once the attacker has kernel-level access and EDR is offline, they can do pretty much whatever they want.
Detection
As a general rule, whenever your EDR stops reporting, it’s time to investigate immediately. One of the most dangerous elements of a BYOVD attack is that it takes away your visibility, leaving you blind to the attackers next series of moves.
In cases we’ve investigated, we’ve seen several recurring indicators. Drivers like RWDRV.sys and HLPDRV.sys show up across multiple incidents and malicious services have often appeared under the name MGDSRV or HLPDRV. Legitimate Microsoft tools like consent.exe might also appear, used to bypass user access control prompts.
Another way to spot trouble is if you start to see legitimate .sys or .dll files showing up directly in main folders like C:\ProgramData\, instead of the typical subdirectories where they belong.
If you see these signs, it might be time to start hunting for an active attacker.
Prevention
Solid prevention always starts with access control. If the attacker can’t gain admin rights, they can’t install their vulnerable drivers or load their malicious services. Organizations can also implement specific deny lists using known file hashes. Meanwhile tools from Microsoft and other EDR vendors can block the execution of files like RWDRV.sys, regardless of their location or name.
On top of these basic methods, you should also be scanning for any unusual driver installations or newly launched services using suspicious names like MGDSRV. Closely monitor directories like C:\ProgramData\ or temporary folders for anomalies and remember, legitimate software almost never places crucial .sys or .dll files directly in the root of these directories.
Most importantly, if your EDR system suddenly stops reporting or crashes unexpectedly, don’t assume it’s a glitch. Assume the attacker is already inside and act accordingly.
Mitigation
In our incident response engagements, one of the first things we do is check for forensic artifacts tied to these driver loads. Event logs, leftover registry entries, memory snapshots - anything that tells us when and how the attack unfolded. But once the attacker disables your visibility tools, the job becomes significantly harder.
In one case, we saw SentinelOne crash just seconds after a malicious driver loaded. From that point on, we had no telemetry from the affected systems. That meant we had to rely on forensic reconstruction to piece together the timeline. Fortunately, we’re very good at that part!
Get Help, Before It Gets Worse
Right now, Microsoft Defender and the RWDRV.sys file are in the news; but vulnerable drivers come and go. What doesn’t change is the attack vector. Even if defenders block one vulnerable driver, attackers will move to the next. There’s always another outdated signed driver out there waiting to be abused.
If something feels off in your environment—if your EDR suddenly stops working, if strange files appear, or if you just want to be proactive—the time to act is now.
Reach out to the Inversion6 Incident Response team.
We know this tactic. We’ve seen what happens when you ignore the warning and we can help you keep an inconvenience from turning into an emergency.
Stay safe out there!
Type | IOC | Notes |
File | rwdrv.sys | Throttlestop Driver |
File | hlpdrv.sys | Malicious Driver |
SHA256 | 16F83F056177C4EC24C7E99D01CA9D9D6713BD0497EEEDB777A3FFEFA99C97F0 | rwdrv.sys |
SHA256 | BD1F381E5A3DB22E88776B7873D4D2835E9A1EC620571D2B1DA0C58F81C84A56 | hlpdrv.sys |
Service Name | MGDSRV | rwdrv.sys Service |
Service Name | HLPDRV | hlpdrv.sys Service |