Detecting BYOVD: How to Hunt Ransomware EDR Killers Before They Blind Your Stack

Bring Your Own Vulnerable Driver (BYOVD) has become the go-to technique for ransomware affiliates who need to neutralise endpoint defences before deploying their encryptor. Groups including DragonForce, Akira, Medusa, and RansomHub have all been observed loading signed-but-vulnerable kernel drivers to kill EDR and AV processes with kernel-level authority. If your detection logic doesn’t catch this at the driver load stage, the attacker is already invisible by the time encryption starts.

How BYOVD Works

The attack chain is consistent across groups:

Privilege escalation to at least local admin (often SYSTEM) via earlier exploitation or credential access.
Driver drop: a legitimate, signed driver with a known vulnerability is written to disk — commonly in C:\Windows\System32\drivers\ or a temp path.
Service creation: the driver is loaded as a kernel service (sc.exe create, NtLoadDriver, or direct IOCTL).
Process kill: the driver’s IOCTL interface is called to terminate EDR/AV processes by PID or name. Some variants (e.g., RogueKiller driver abuse) also remove kernel callbacks registered by security tools.
Cleanup: the driver is unloaded and deleted before ransomware executes.

The signed driver bypasses most user-mode controls; what matters is detecting the setup and weaponisation steps before the EDR process is gone.

Key Detection Points

Stage	Event	Source
Driver dropped	New `.sys` file written outside normal update paths	Sysmon Event ID 11
Service created for driver	`sc.exe create ... type=kernel`	Sysmon Event ID 1 / Windows Security 4697
Kernel driver loaded	Image load for unsigned/unexpected `.sys`	Sysmon Event ID 6
EDR process terminated	Target process (e.g., `MsMpEng.exe`, `csagent.exe`) terminates unexpectedly	Security 4689 / EDR telemetry
Known vulnerable driver hash	Match against LOLDrivers blocklist	Any image load event

Sigma Rules

Rule 1 — Kernel Service Creation Followed by Unusual Driver Load

title: Suspicious Kernel Driver Service Creation (BYOVD Pattern)
id: d4f8a3c1-7e22-4b10-8c56-e9a001234567
status: experimental
description: Detects kernel-type service creation using sc.exe or via Service Control Manager, indicative of BYOVD EDR killer staging.
references:
  - https://github.com/magicsword-io/LOLDrivers
  - https://attack.mitre.org/techniques/T1562/001/
author: SOC Analyst Hub
date: 2026-05-23
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.t1014
logsource:
  product: windows
  category: process_creation
detection:
  selection_sc:
    Image|endswith: '\sc.exe'
    CommandLine|contains|all:
      - 'create'
      - 'type=kernel'
  selection_powershell:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains: 'New-Service'
    CommandLine|contains: 'KernelDriver'
  condition: selection_sc or selection_powershell
falsepositives:
  - Legitimate driver installations by IT or vendors; correlate with change tickets
  - Software deployment tools
level: high

Rule 2 — Known LOLDriver Hash Loaded

title: Known Vulnerable Kernel Driver Loaded (LOLDrivers)
id: a9b2c4d6-1f33-5c21-9d47-f8b002345678
status: stable
description: Detects image load of known vulnerable kernel drivers used in BYOVD attacks. Hash list sourced from LOLDrivers project.
references:
  - https://github.com/magicsword-io/LOLDrivers
author: SOC Analyst Hub
date: 2026-05-23
tags:
  - attack.defense_evasion
  - attack.t1542.003
  - attack.t1562.001
logsource:
  product: windows
  category: driver_load
detection:
  selection:
    Hashes|contains:
      # RogueKiller Anti-Rootkit Driver (abused by DragonForce)
      - 'SHA256=7f4e3a1c8b92d45e6f0a231b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d'
      # RTCore64 (used by multiple ransomware groups)
      - 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9a45fd815d9f13dd6f6e5ccf4ac8e5ca9a'
      # gdrv.sys (Gigabyte driver, widely abused)
      - 'SHA256=31f4cfb4c71da44120752721103a16512444c13d9e7648df7a3a8ad5651a7ec4'
  condition: selection
falsepositives:
  - Very low; these specific hashes are flagged by LOLDrivers as malicious-use known
level: critical

KQL for Microsoft Sentinel

// BYOVD: Kernel service creation + driver load within 5 minutes on same host
let kernelServiceCreate = DeviceProcessEvents
    | where FileName == "sc.exe"
    | where ProcessCommandLine has_all ("create", "type=kernel")
    | project DeviceId, ServiceCreateTime = Timestamp, InitiatingProcessAccountName;

let driverLoads = DeviceImageLoadEvents
    | where FolderPath !startswith "C:\\Windows\\System32\\drivers\\"
    | where FolderPath !startswith "C:\\Program Files\\"
    | where FileName endswith ".sys"
    | project DeviceId, DriverLoadTime = Timestamp, FileName, FolderPath, SHA256;

kernelServiceCreate
| join kind=inner driverLoads on DeviceId
| where DriverLoadTime between (ServiceCreateTime .. (ServiceCreateTime + 5m))
| project DeviceId, ServiceCreateTime, DriverLoadTime, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| sort by ServiceCreateTime desc

// EDR process termination following driver load (pivot to confirm BYOVD kill)
let edrmProcs = dynamic(["MsMpEng.exe","csagent.exe","CylanceSvc.exe","cb.exe","elastic-agent.exe",
                          "SentinelAgent.exe","CrowdStrike","xagt.exe","bdservicehost.exe"]);
DeviceProcessEvents
| where ActionType == "ProcessStopped"
| where FileName has_any (edrmProcs)
| project Timestamp, DeviceId, DeviceName, FileName, InitiatingProcessFileName
| join kind=leftouter (
    DeviceImageLoadEvents
    | where FileName endswith ".sys"
    | where FolderPath !startswith @"C:\Windows\System32\drivers\"
    | project DeviceId, DriverTime = Timestamp, DriverFile = FileName
) on DeviceId
| where abs(datetime_diff("minute", Timestamp, DriverTime)) < 10
| project Timestamp, DeviceName, KilledProcess=FileName, DriverLoaded=DriverFile
| sort by Timestamp desc

Hunting Hypothesis

Hypothesis: Ransomware actors loaded a vulnerable kernel driver in the 30 minutes prior to any ransomware encryption event on endpoints where EDR telemetry gaps exist.

Start with hosts where you see a sudden drop in telemetry volume (Sysmon events per minute drops > 80%) — this is often your first signal that an EDR kill succeeded. Then pivot backwards: look for sc.exe create type=kernel or NtLoadDriver calls in the 30 minutes prior, and correlate the driver hash against the LOLDrivers catalogue at magicsword-io/LOLDrivers.

Defensive Recommendations

Enable Kernel DMA Protection and HVCI (Hypervisor-Protected Code Integrity) on Windows 11/Server 2022+ endpoints. HVCI blocks unsigned and revoked drivers from loading at kernel level, neutralising most BYOVD attacks.
Maintain the Microsoft Vulnerable Driver Blocklist — ensure your Windows Defender Application Control (WDAC) policy incorporates the latest blocklist.
Alert on unexpected .sys file writes outside C:\Windows\System32\drivers\ and C:\Windows\System32\DriverStore\.
Monitor service creation events (Windows Security Event 4697) for kernel-type services created by non-system accounts.
Test your detection coverage with the Atomic Red Team test T1562.001 using a known safe LOLDriver in a lab environment.