Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >

Our seasoned Chief Information Security Officers bring strategic guidance to your leadership team, helping you right-size your cybersecurity operations.


A full suite of manage solutions from our US-based Security Operations Center (SOC)—staffed 24x7x365 by a full team of experienced analysts.


You can count on our IR team to contain the damage from a cyberattack, investigate the origins of the breach and build better protections for the future.


Why Inversion6

With an abundance of solutions and providers, the task of choosing the right option is critical and can sometimes be overwhelming.

Contact Us
By: Tyler Hudak

Who’s Defending Microsoft Defender? Breaking Down Modern BYOVD Attacks


Recently, the Inversion6 Incident Response team has been tracking an uptick in cyberattacks that hijack vulnerable Windows drivers to crash endpoint detection and response (EDR) systems, most notably Microsoft Defender. 

These are known as Bring Your Own Vulnerable Driver (BYOVD) attacks and they don’t rely on fancy exploits or cutting edge, adversarial AI. Instead, they target files Windows already trusts, repurposing them to crash your endpoint protection tools with relative ease. After that, they can cause all sorts of trouble without being detected. 

We’ve seen this up close in several recent cases. Here’s how it happens, how to spot it and what to do if you’ve already been hit with a BYOVD attack. 

When Trust Turns Against You 

Whenever Windows loads a driver, it first checks whether it’s “digitally signed.” A signed driver is one that originates from a trusted source, hasn’t been modified, and is therefore allowed to interact directly with the operating system kernel - the most privileged level of access. 

As operating systems have evolved, it’s become much harder to sneak a malicious driver into the system. But attackers adapt quickly, exploiting the process by piggybacking malicious code on vulnerable drivers that are already signed. 

Sometimes they target old drivers that are often no longer in use. Sometimes they find a small flaw that was never patched. Either way, Windows will still allow them through the door as long as the drivers are signed (and that code signature hasn’t been revoked). 

Many of the recent attacks we’ve seen have started with a driver called RWDRV.sys from ThrottleStop. This file is legitimate, code-signed and trusted. However, hackers are using it to load a second driver - often HLPDRV.sys - which contains the malicious payload.  

This second driver is what is used to crash or disable various EDR systems, from Microsoft Defender to CrowdStrike to SentinelOne and more. 

How it Works 

For a BYOVD attack to work, an attacker must already have administrative access to your device. Without administrative privileges, they can’t install drivers or load malicious services - so gaining that access is always step one, often through phishing, remote access exploitation or some other malicious software delivery. The vulnerable driver is simply the method they use to remove endpoint protections and solidify their control. This is also the step that clears the path for ransomware or data exfiltration. 

While Akira ransomware has been publicly associated with the recent strikes on EDR, including Microsoft Defender, BYOVD strikes are not tied to one specific threat actor. Once the attacker has kernel-level access and EDR is offline, they can do pretty much whatever they want. 

Detection 

As a general rule, whenever your EDR stops reporting, it’s time to investigate immediately. One of the most dangerous elements of a BYOVD attack is that it takes away your visibility, leaving you blind to the attackers next series of moves.  

In cases we’ve investigated, we’ve seen several recurring indicators. Drivers like RWDRV.sys and HLPDRV.sys show up across multiple incidents and malicious services have often appeared under the name MGDSRV or HLPDRV. Legitimate Microsoft tools like consent.exe might also appear, used to bypass user access control prompts. 

Another way to spot trouble is if you start to see legitimate .sys or .dll files showing up directly in main folders like C:\ProgramData\, instead of the typical subdirectories where they belong.  

If you see these signs, it might be time to start hunting for an active attacker. 

 

Prevention 

Solid prevention always starts with access control. If the attacker can’t gain admin rights, they can’t install their vulnerable drivers or load their malicious services. Organizations can also implement specific deny lists using known file hashes. Meanwhile tools from Microsoft and other EDR vendors can block the execution of files like RWDRV.sys, regardless of their location or name. 

On top of these basic methods, you should also be scanning for any unusual driver installations or newly launched services using suspicious names like MGDSRV. Closely monitor directories like C:\ProgramData\ or temporary folders for anomalies and remember, legitimate software almost never places crucial .sys or .dll files directly in the root of these directories. 

Most importantly, if your EDR system suddenly stops reporting or crashes unexpectedly, don’t assume it’s a glitch. Assume the attacker is already inside and act accordingly. 

 

Mitigation

In our incident response engagements, one of the first things we do is check for forensic artifacts tied to these driver loads. Event logs, leftover registry entries, memory snapshots - anything that tells us when and how the attack unfolded. But once the attacker disables your visibility tools, the job becomes significantly harder. 

In one case, we saw SentinelOne crash just seconds after a malicious driver loaded. From that point on, we had no telemetry from the affected systems. That meant we had to rely on forensic reconstruction to piece together the timeline. Fortunately, we’re very good at that part!  

 

Get Help, Before It Gets Worse 

Right now, Microsoft Defender and the RWDRV.sys file are in the news; but vulnerable drivers come and go. What doesn’t change is the attack vector. Even if defenders block one vulnerable driver, attackers will move to the next. There’s always another outdated signed driver out there waiting to be abused. 

If something feels off in your environment—if your EDR suddenly stops working, if strange files appear, or if you just want to be proactive—the time to act is now. 

Reach out to the Inversion6 Incident Response team.  

We know this tactic. We’ve seen what happens when you ignore the warning and we can help you keep an inconvenience from turning into an emergency. 

Stay safe out there!

 

Type IOC Notes
File  rwdrv.sys  Throttlestop Driver 
File  hlpdrv.sys  Malicious Driver 
SHA256  16F83F056177C4EC24C7E99D01CA9D9D6713BD0497EEEDB777A3FFEFA99C97F0  rwdrv.sys 
SHA256  BD1F381E5A3DB22E88776B7873D4D2835E9A1EC620571D2B1DA0C58F81C84A56  hlpdrv.sys 
Service Name  MGDSRV  rwdrv.sys Service 
Service Name  HLPDRV  hlpdrv.sys Service 
 

 

Post Written By: Tyler Hudak

Related Blog Posts

Let's TALK

Our team of experts in information security, storage, and networking works alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs. Ready to learn how we can help strengthen your technology environment? Fill out the form below to get started.

TALK TO AN EXPERT