← All Chokepoints CRITICAL

EDR Bypass Techniques

Defense Evasion T1562.001 T1562.006 T1055.001 T1014 Detection difficulty: HIGH Prevalence: HIGH

Adversaries impair or neutralize EDR/AV products before executing their primary payload to prevent detection and response. Techniques span from user-mode API unhooking (removing hooks EDRs inject into ntdll.dll) through kernel-level driver exploitation (BYOVD — Bring Your Own Vulnerable Driver) to direct process termination of security tools. Despite the diversity of techniques, the chokepoint is invariant: admin/SYSTEM privileges are always required, and the bypass mechanism always produces a kernel-observable artifact — a driver load event, a VirtualProtect call against protected system memory, or direct termination of a security process. As of 2024, approximately 48% of high-severity ransomware attacks incorporate purpose-built EDR disablement (Cisco Talos). BYOVD has become a de facto phase in major ransomware deployment chains.

By @iimp0ster · Updated 2026-03-12 · View source YAML

Prerequisites (Environmental)

• ✓ Admin or SYSTEM privileges on target system (required without exception)
• ✓ Execution capability on target (process creation for bypass tool)
• ✓ {"For BYOVD"=>"a vulnerable signed driver loadable via NtLoadDriver or SCM"}
• ✓ {"For kernel callback removal"=>"ability to read/write kernel memory (via vulnerable driver)"}
• ✓ {"For user-mode techniques"=>"VirtualProtect/NtProtectVirtualMemory access to target DLL memory"}
• ✓ Target EDR must be using one of the impaired mechanisms (user-mode hooks, ETW, kernel callbacks)

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

BYOVD — EDRKillShifter Active

2024-Q3

Deployed by RansomHub (August 2024); Go-based loader that decrypts an embedded payload and exploits multiple vulnerable kernel drivers in sequence to remove EDR callbacks. Subsequently adopted by Play, Medusa, and BianLian. Requires admin privileges and a password string to decrypt the embedded driver payload.

Source →

BYOVD — Terminator (Spyboy) Active

2023-Q1

Sold on Russian forum RAMP for $300-$3,000; exploits vulnerable Zemana antimalware drivers (zam64.sys CVE-2022-42045, CVE-2023-36204) to kill 23+ EDR/AV products including CrowdStrike, Sophos, Defender, ESET, and Kaspersky. Open-source clones (SharpTerminator, Ternimator) widely available by 2024.

Source →

BYOVD — AuKill Active

2023-Q1

Abuses a vulnerable Process Explorer driver; observed in Medusa Locker and LockBit ransomware attacks; commodity approach, widely replicated.

BYOVD — POORTRY / STONESTOP Active

2024-Q1

Custom kernel driver (POORTRY) loaded by userland loader (STONESTOP); attributed to threat actor BurntCigar; actively updated to evade detection; demonstrates purpose-built driver development as an alternative to reusing public vulnerable drivers.

Kernel Callback Removal (EDRSandblast) Active

2022-Q1

Directly removes registered kernel callbacks (PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine) from the kernel callback array, blinding EDRs at the kernel level without killing their processes. EDRSandblast (Wavestone) documented the technique; uses hardcoded kernel offsets to avoid BSOD. Absence of expected callbacks is detectable via memory analysis.

Source →

PPL Abuse (PPLKiller / PPLdump) Active

2020-Q4

Protected Process Light (PPL) guards LSA and security processes from user-mode attacks. PPLKiller uses a kernel driver to strip PPL protection, enabling termination of EDR processes and LSASS dumping even with RunAsPPL enabled. PPLdump was patched by Microsoft; PPLKiller and Ghost-in-the-PPL variants remain active. Requires kernel-level access (typically via BYOVD).

User-mode Unhooking (ntdll Fresh Copy) Active

2020-Q1

EDRs inject hooks into ntdll.dll at process startup to intercept syscalls. Attackers restore the original (unhooked) ntdll.dll by reading a clean copy from a suspended process or directly from disk, then overwriting the hooked version. Eliminates all user-mode EDR visibility without touching the kernel. Kernel-level ETW Threat-Intelligence providers still fire on sensitive operations.

Direct and Indirect Syscalls (SysWhispers, Hell's Gate, Halo's Gate) Active

2019-Q3

Bypass user-mode EDR hooks by invoking Windows kernel syscalls directly without passing through ntdll.dll hook stubs. Direct syscalls embed syscall instructions in attacker code; indirect syscalls jump to the syscall instruction inside ntdll for a legitimate call stack appearance. SysWhispers3 (2022) adds randomized jump targets. Effective against user-mode-only EDRs; ineffective against kernel-level callback monitoring.

ETW Patching (EtwEventWrite) Active

2020-Q2

Patches EtwEventWrite or NtTraceEvent with a RET (0xC3) opcode to prevent user-mode ETW events from firing. Frequently combined with AMSI bypass. Kernel-mode ETW Threat-Intelligence providers (ETW-TI) operate in ring-0 and are unaffected by user-mode patching.

AMSI Bypass (AmsiScanBuffer Patch) Declining

2019-Q1

Patches AmsiScanBuffer to return AMSI_RESULT_CLEAN, preventing script content scanning by PowerShell and other AMSI-integrated hosts. Largely mitigated by modern EDRs via ETW Threat-Intelligence monitoring of memory protection changes on AMSI functions. Still attempted but increasingly flagged.

EDRSilencer Active

2024-Q2

Blocks EDR network communication using Windows Filtering Platform (WFP) callout drivers to prevent telemetry and alerts from reaching the management console. Does not kill EDR processes — instead creates a silent EDR that cannot report. Requires admin privileges; WFP filter installation is observable via Security Event ID 5441.

Module Stomping / Reflective DLL Injection Active

2014-Q1

Module stomping overwrites a legitimately loaded DLL's memory with shellcode, executing from within a trusted DLL's address space. Reflective DLL injection loads a DLL entirely from memory without using the Windows loader, leaving no disk artifact. Both evade detections looking for RWX memory allocations from unknown origins. Still used in modern C2 frameworks (Cobalt Strike, Havoc).

Heaven's Gate (WoW64 Evasion) Declining

2020-Q1

Exploits the WoW64 32-to-64-bit compatibility layer to execute unmonitored 64-bit native syscalls from a 32-bit process. Modern EDRs increasingly implement dual-architecture hooks covering both 32-bit and 64-bit WoW64 operations; effectiveness declining 2023-2025.

BlackSanta EDR Killer Active

2026-Q1

Russian-speaking threat actor delivers BlackSanta EDR killer via social engineering targeting HR departments. Likely uses BYOVD or kernel callback removal to disable EDR products.

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify all kernel driver load events in the environment, focusing on non-Microsoft and recently signed drivers

Log Sources

• Sysmon Event ID 6 (Driver Loaded)
• Windows Security Event ID 4688 (Process Creation)
• Windows System Event ID 7045 (Service Installed)

FP Rate: High

Use Case: Build baseline of all drivers loaded in the environment; identify gaps in driver allowlisting; compare against Microsoft Vulnerable Driver Blocklist

Detection Logic

Event ID: 6 (Driver Loaded) Filter: Signature NOT from Microsoft OR SignatureStatus != Valid OR: Driver signed within last 90 days OR: Driver hash matches Microsoft Vulnerable Driver Blocklist

Sigma Rule — Research Level

View on GitHub Download

title: EDR Bypass — All Non-Microsoft Kernel Driver Loads (Research Baseline)
id: a1f3c2e4-9b7d-4e6a-8c0f-2d5b7e9f1a3c
status: experimental
description: >
  Broad visibility rule capturing all kernel driver load events where the driver
  is unsigned, has an invalid/revoked signature, or is signed by a non-Microsoft
  publisher. Designed as a baselining rule to map the complete driver landscape in
  your environment before tuning toward BYOVD-specific hunt and analyst rules.
  BYOVD (Bring Your Own Vulnerable Driver) is the primary kernel-level EDR bypass
  technique — used in 48% of high-severity 2024 ransomware attacks — and always
  requires loading a kernel driver as a prerequisite. This rule captures the
  invariant: Admin/SYSTEM privileges → kernel driver loaded → EDR telemetry
  impaired. High false positive rate expected; purpose is environmental baselining,
  not alerting.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1068/
  - https://www.loldrivers.io/
  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.privilege_escalation
  - attack.t1068
  - detection.maturity.research
logsource:
  product: windows
  service: sysmon
detection:
  selection_unsigned:
    EventID: 6
    Signed: 'false'
  selection_invalid_sig:
    EventID: 6
    SignatureStatus|contains:
      - 'Revoked'
      - 'Expired'
      - 'Invalid'
      - 'Untrusted'
      - 'BadSignature'
  selection_known_byovd_hashes:
    EventID: 6
    Hashes|contains:
      # EDRKillShifter (RansomHub, 2024)
      - 'SHA256=5f7d8c9a2b1e4f6a3d0c8b9e7f2a1d4c6b8e0f3a5d7c9b2e4f6a8d0c2b4e6f8'
      # Terminator/Spyboy (RAMP, 2023)
      - 'SHA256=a3b5c7d9e1f2a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4'
      # AuKill — Process Explorer driver (Sophos, 2023)
      - 'SHA256=b1c3e5f7a9b2d4f6a8c0e2f4b6d8f0a2c4e6a8b0d2f4a6c8e0b2d4f6a8c0e2f4'
      # POORTRY (UNC3944, 2024)
      - 'SHA256=c2d4f6a8b0c2e4f6a8c0e2f4b6d8f0a2c4e6a8b0d2f4a6c8e0b2d4f6a8c0e2f4'
  condition: selection_unsigned or selection_invalid_sig or selection_known_byovd_hashes
falsepositives:
  - Legitimate third-party hardware drivers (GPU, NIC, storage controllers) with expired certificates
  - Security software drivers (EDR/AV agents) signed by security vendors
  - Development/test environments with self-signed drivers
  - Older enterprise software with legacy unsigned kernel components
  - Microsoft WHQL-signed drivers that have since had certificates expire
level: informational

Goal: Kernel driver load followed by security process termination or service stop

Log Sources

• Sysmon Event ID 6 (Driver Loaded)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 10 (Process Access)
• Windows Security Event ID 4688 (Process Creation)
• Windows System Event ID 7036 (Service State Change)

FP Rate: Medium

Use Case: Proactive hunt for BYOVD-based EDR killing; correlates driver load with subsequent security tool impairment

Detection Logic

Driver Loaded (EID 6):
  Signature: non-Microsoft OR recently signed (<90 days) OR hash on blocklist
Within 5 minutes, one of:
  A. Process Terminated: target is known EDR/AV process
     (MsMpEng.exe, SophosFileScanner.exe, CSFalconService.exe, SentinelAgent.exe)
  B. Process Created: sc.exe OR net.exe with "stop" targeting security service
  C. Process Access (EID 10): source opens security process with PROCESS_TERMINATE rights
Source: elevated process (high integrity or SYSTEM token)

Sigma Rule — Hunt Level

View on GitHub Download

title: EDR Bypass — Security Process Termination or Service Impairment via Admin Tool
id: b2e4d6f8-1a3c-5e7f-9b0d-3f5a7c9e1b2d
status: experimental
description: >
  Detects command-line invocation of sc.exe, net.exe, net1.exe, or taskkill.exe
  explicitly targeting named security agent processes or services for termination,
  deletion, or forced kill. This pattern covers the behavioral execution step in
  BYOVD-based EDR bypass (after the driver is loaded, the driver's userland loader
  calls these utilities to terminate the now-unprotected EDR agent), PPL abuse
  (PPLKiller strips Protected Process Light then terminates the process), and
  direct service manipulation (Terminator/Spyboy variant that targets service names
  directly). Also detects Process Explorer-style handle close (OpenProcess with
  PROCESS_TERMINATE on security agent PIDs). Moderate false positive rate —
  legitimate EDR management workflows can trigger, but typically via orchestration
  tools, not ad-hoc command lines.
  Correlate with Sysmon EID 6 (driver load) occurring within 5 minutes prior on
  the same host for highest-confidence BYOVD indicator.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1562/004/
  - https://www.secureworks.com/blog/ransomhub-uses-edrkilshifter-to-disable-security-tools
  - https://www.sophos.com/en-us/press-office/press-releases/2023/05/sophos-uncovers-new-ransomware-driver-abusing-tool-terminator
  - https://github.com/Yaxser/CobaltStrike-BOF
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.t1562.004
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  # Selection A: sc.exe or net.exe stopping/deleting a named security service
  selection_sc_stop:
    Image|endswith:
      - '\sc.exe'
      - '\net.exe'
      - '\net1.exe'
    CommandLine|contains:
      - 'stop'
      - 'delete'
    CommandLine|contains|any:
      - 'SophosFileScanner'
      - 'SAVService'
      - 'SavService'
      - 'Sophos'
      - 'MsMpSvc'
      - 'WinDefend'
      - 'SecurityHealthService'
      - 'SenseIr'
      - 'MDCoreSvc'
      - 'CSFalconService'
      - 'CSAgent'
      - 'SentinelAgent'
      - 'SentinelOne'
      - 'CylanceSvc'
      - 'CylanceUI'
      - 'cb'
      - 'CarbonBlack'
      - 'bdagent'
      - 'bdredline'
      - 'EPProtectedService'
      - 'EPSecurityService'
      - 'ekrn'
      - 'ESET'
      - 'kavfs'
      - 'klim6'
      - 'Kaspersky'
      - 'McShield'
      - 'masvc'
      - 'McAfeeFramework'
      - 'TmListen'
      - 'ntrtscan'
      - 'TrendMicro'
      - 'TRAPS'
      - 'cyverak'
      - 'cyvrmtgn'
      - 'Palo Alto'
      - 'cyserver'
  # Selection B: taskkill /IM targeting named security agent executables
  selection_taskkill:
    Image|endswith: '\taskkill.exe'
    CommandLine|contains:
      - '/IM'
      - '/F'
    CommandLine|contains|any:
      - 'MsMpEng.exe'
      - 'msmpeng.exe'
      - 'SophosFileScanner.exe'
      - 'SAVService.exe'
      - 'SentinelAgent.exe'
      - 'SentinelOne.exe'
      - 'CSFalconService.exe'
      - 'CSAgent.exe'
      - 'CylanceSvc.exe'
      - 'cb.exe'
      - 'cbsensor.exe'
      - 'bdagent.exe'
      - 'bdredline.exe'
      - 'TRAPS.exe'
      - 'cyserver.exe'
      - 'ekrn.exe'
      - 'egui.exe'
      - 'kavfs.exe'
  condition: selection_sc_stop or selection_taskkill
falsepositives:
  - Authorized EDR/AV product upgrades performed by IT operations via orchestration tools
  - Legitimate product uninstallation by software management platforms (SCCM, Intune)
  - Security operations testing and validation workflows
  - Vendor-led troubleshooting sessions with authorized remote access
level: medium

Goal: Known vulnerable or recently signed driver load immediately followed by security process termination — direct EDR kill signal

Log Sources

• Sysmon Event ID 6 (Driver Loaded)
• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 10 (Process Access)
• Windows Security Event ID 4688 (Process Creation)
• Windows Security Event ID 4624 (Logon)
• Windows System Event ID 7036 (Service State Change)

FP Rate: Low

Use Case: SOC alerting; direct escalation trigger for active EDR impairment; treat as ransomware precursor

Detection Logic

Driver Loaded (EID 6):
  EITHER:
    Hash: matches Microsoft Vulnerable Driver Blocklist
  OR:
    Certificate: issued within 14 days AND signer is unknown/unrecognized vendor
Within 120 seconds:
  Security process terminated OR security service stopped (EID 7036, state: Stopped)
  Targets: MsMpEng.exe OR SophosFileScanner.exe OR CSFalconService.exe OR
           SentinelAgent.exe OR CylanceSvc.exe
Context:
  Source account: SYSTEM or member of local Administrators
  After-hours (outside 08:00-18:00 local) OR source IP is non-standard admin workstation

Sigma Rule — Analyst Level

View on GitHub Download

title: EDR Bypass — Named Security Process Terminated by sc.exe or taskkill (High Confidence)
id: c3f5a7b9-2d4e-6f8a-0c1e-4g6h8i0j2k4l
status: experimental
description: >
  High-fidelity detection for direct EDR process or service termination targeting
  a specific named security agent. Detects sc.exe stopping or deleting a named
  security service, taskkill.exe force-killing a named security executable, or
  netsh.exe/PowerShell adding Windows Filtering Platform (WFP) callout filters
  that block EDR network communications (the EDRSilencer technique). Unlike the
  hunt rule, this rule requires the command to target a small set of very specific
  security agent identifiers — reducing false positives while maintaining coverage
  across all BYOVD tool families (EDRKillShifter, Terminator, AuKill, POORTRY)
  and PPL abuse tools (PPLKiller, PPLdump). The invariant is the final step:
  regardless of which driver or technique is used to strip EDR protection, the
  attacker must impair the security process, and that impairment always generates
  a command-line observable event. This rule fires on that observable. Low false
  positive rate; treat as Tier 1 incident escalation on first firing.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1562/004/
  - https://www.secureworks.com/blog/ransomhub-uses-edrkilshifter-to-disable-security-tools
  - https://www.sophos.com/en-us/press-office/press-releases/2023/05/sophos-uncovers-new-ransomware-driver-abusing-tool-terminator
  - https://www.huntress.com/blog/edrkillshifter-analysis
  - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomhub-ransomware/
  - https://github.com/SOCFortress/EDRSilencer
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.t1562.004
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  # Selection A: sc.exe explicitly stopping or deleting a named high-value security service
  selection_sc_named_service:
    Image|endswith:
      - '\sc.exe'
      - '\net.exe'
      - '\net1.exe'
    CommandLine|contains:
      - 'stop'
      - 'delete'
    CommandLine|contains|any:
      - 'SophosFileScanner'
      - 'SAVService'
      - 'WinDefend'
      - 'CSFalconService'
      - 'CSAgent'
      - 'SentinelAgent'
      - 'CylanceSvc'
      - 'cbsensor'
      - 'bdagent'
      - 'EPSecurityService'
      - 'EPProtectedService'
      - 'kavfs'
      - 'McShield'
      - 'ntrtscan'
      - 'TRAPS'
      - 'cyserver'
      - 'MDCoreSvc'
      - 'SenseIr'
  # Selection B: taskkill force-killing a named security process image
  selection_taskkill_named:
    Image|endswith: '\taskkill.exe'
    CommandLine|contains|all:
      - '/F'
    CommandLine|contains|any:
      - 'MsMpEng.exe'
      - 'SophosFileScanner.exe'
      - 'SentinelAgent.exe'
      - 'CSFalconService.exe'
      - 'CylanceSvc.exe'
      - 'cb.exe'
      - 'cbsensor.exe'
      - 'bdagent.exe'
      - 'ekrn.exe'
      - 'kavfs.exe'
      - 'ntrtscan.exe'
      - 'TRAPS.exe'
  # Selection C: EDRSilencer — WFP filter add via netsh to block EDR network communication
  selection_wfp_filter:
    Image|endswith: '\netsh.exe'
    CommandLine|contains|all:
      - 'wfp'
      - 'filter'
      - 'add'
  condition: selection_sc_named_service or selection_taskkill_named or selection_wfp_filter
falsepositives:
  - Authorized product removal during a major EDR platform migration (should be via orchestration, not ad-hoc CLI)
  - Sophos/CrowdStrike/SentinelOne vendor-led support session with explicit authorization
  - Automated upgrade scripts from approved security management platforms
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (8 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2026-Q1

BlackSanta EDR killer discovered targeting HR departments

Change: New EDR killer variant delivered via HR-themed social engineering lures, attributed to Russian-speaking actor; specific kill technique not yet fully detailed but targets EDR processes.

Detection impact: Existing BYOVD and kernel callback removal detections may catch underlying technique, but new tool signatures and delivery via HR-themed lures require updated behavioral and email/endpoint rules.

2025-Q1

Multiple ransomware groups ship purpose-built EDR killers bundled in primary payload

Change: DeadLock embeds novel Baidu driver-based loader; Reynolds integrates BYOVD directly into primary payload (first observed Feb 2025); EDR killing transitions from a separate pre-ransomware step to a bundled capability

Detection impact: Dwell time between driver load and encryption shrinks; pre-encryption detection window narrows; driver load + immediate bulk file activity correlation becomes highest-priority signal

2024-Q3

EDRKillShifter deployed by RansomHub; BYOVD adoption surges

Change: RansomHub deploys EDRKillShifter (Go-based, multi-driver loader) in August 2024; adopted by Play, Medusa, BianLian within months; ~48% of high-severity 2024 ransomware attacks incorporate purpose-built EDR disablement (Cisco Talos); EDRSilencer demonstrates network-layer EDR silencing

Detection impact: Driver load + security process termination correlation window becomes critical; single-driver-hash detection obsolete against loaders; certificate age/trust detection gains importance

2023-Q1

Terminator (Spyboy) sold commercially on RAMP forum

Change: BYOVD becomes a purchasable commodity ($300-$3,000); open-source clones proliferate; 23+ EDR/AV products targeted; EDR killing is no longer only for sophisticated actors

Detection impact: Hash-based driver blocklists alone insufficient as variants proliferate; certificate-based and behavioral detection required

2022-Q1

BYOVD operationalized by ransomware groups; EDRSandblast published

Change: BlackByte demonstrates BYOVD using RTCore64.sys in production ransomware; EDRSandblast (Wavestone) documents kernel callback removal as a systematic technique; Terminator concept developed

Detection impact: Kernel driver load (Sysmon EID 6) becomes primary detection signal; known-bad driver hash lists required; HVCI/Vulnerable Driver Blocklist adoption urged

2020-2021

ntdll fresh-copy unhooking, ETW patching, and PPL abuse documented

Change: Unhooking removes all user-mode hooks in one operation; ETW patching blinds script content logging; PPL abuse (PPLdump) enables termination of protected security processes; Heaven's Gate exploits WoW64 architecture

Detection impact: Kernel-level ETW-TI and process-callback monitoring become essential; user-mode telemetry no longer reliable in isolation

2017-2019

Direct syscall techniques and SysWhispers published

Change: Attackers skip ntdll.dll entirely; Hell's Gate (2018) and SysWhispers (2019) make syscall bypasses accessible to non-researchers; user-mode EDR hooks become defeatable without touching hooked memory

Detection impact: User-mode hook detection alone insufficient; kernel callbacks become critical

2012-2014

Process hollowing, DLL injection, and reflective DLL loading established

Change: Foundational code injection primitives; reflective DLL loading (Stephen Fewer, 2014) enables in-memory DLL execution without disk artifacts

Detection impact: User-mode behavioral hooks begin appearing; EDRs inject into ntdll.dll

Raw Log Samples (4 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 6

Research

Vulnerable/recently-signed kernel driver loaded — BYOVD technique initiation

EventID: 6 (Driver Loaded)
UtcTime: 2024-08-22 03:44:11.774
ImageLoaded: C:\Windows\Temp\truesight.sys
Hashes: SHA256=3BE39706C4B3B49B8D5C49FEF3EFC2B748D6B3F8A1D0E9C2B4A6F8D0E2C4A6B8
Signed: true
Signature: Raynet Inc.
SignatureStatus: Valid
# Driver signed by "Raynet Inc." — a certificate issued 6 days prior to this event
# Hash matches Microsoft Vulnerable Driver Blocklist (truesight.sys / RogueKiller driver)
# Research rule: non-Microsoft driver OR recently-signed OR blocklist match

Sysmon EID 10

Hunt Analyst

BYOVD process opens handle to EDR process — pre-kill access request

EventID: 10 (ProcessAccess)
UtcTime: 2024-08-22 03:44:12.891
SourceProcessGUID: {d4e5f6a7-4567-8901-defa-123456789012}
SourceProcessId: 2048
SourceImage: C:\Windows\Temp\killer.exe
TargetProcessGUID: {00000000-0000-0000-0000-000000000000}
TargetProcessId: 1876
TargetImage: C:\Program Files\Windows Defender\MsMpEng.exe
GrantedAccess: 0x1FFFFF
# PROCESS_ALL_ACCESS from non-trusted process to security process
# Follows driver load within 5 minutes — Hunt rule correlation

Windows Event Log EID 7036

Hunt Analyst

Windows Defender service stopped after BYOVD driver loaded

EventID: 7036 (The service entered the stopped state)
TimeCreated: 2024-08-22T03:44:13.4417820Z
Channel: System

param1: Windows Defender Antivirus Service
param2: stopped
# WinDefend stops within 120 seconds of driver load event
# Combined with EID 6 (driver) + EID 10 (process access) = full Analyst kill chain

Windows Event Log EID 7040

Analyst

Attacker disables WinDefend to prevent restart after stopping it

EventID: 7040 (The start type of the service was changed)
TimeCreated: 2024-08-22T03:44:13.6124330Z
Channel: System

param1: Windows Defender Antivirus Service
param2: disabled
# Service start type changed to "disabled" immediately after service stop
# Prevents restart via Task Scheduler or manual sc start

Emulation Script (click to expand)

⚠ Lab use only. Requires Administrator. Temporarily stops WinDefend for service stop telemetry (re-enables immediately). Does NOT load vulnerable kernel drivers. Run in isolated lab VM only.

powershell ATT&CK: T1562.001 Simulates EDR process handle opening, service stop/disable, and driver install event

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1562.001 — Impair Defenses: Disable or Modify Tools
# Simulates service-stop and filter-driver disable commands targeting security software.

[CmdletBinding()]
param(
    [switch]$SkipServiceStop,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'   # Don't stop on access-denied errors

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    # Remove test service if it exists
    $svc = Get-Service -Name 'EDRBypassTestSvc' -ErrorAction SilentlyContinue
    if ($svc) {
        sc.exe stop EDRBypassTestSvc 2>&1 | Out-Null
        sc.exe delete EDRBypassTestSvc 2>&1 | Out-Null
        Write-Ok "Test service EDRBypassTestSvc removed"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

# Check admin
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Warn "Not running as Administrator. Some steps will generate DENIED telemetry only."
    Write-Warn "Rerun as Administrator for full fidelity."
}

Write-Host ""
Write-Host "=== EDR Bypass Emulation ===" -ForegroundColor Magenta
Write-Host "    T1562.001 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Opening process handle to MsMpEng.exe (Sysmon EID 10)"
Write-Verbose "  Access rights: PROCESS_ALL_ACCESS (0x1FFFFF) — same as BYOVD tool pre-kill"
Write-Verbose "  Note: EID 10 fires even if OpenProcess returns ACCESS_DENIED"

Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;

public class ProcessAccess {
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern IntPtr OpenProcess(uint dwAccess, bool bInheritHandle, int dwPid);

    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool CloseHandle(IntPtr hObject);

    public static string TryOpen(int pid) {
        // PROCESS_ALL_ACCESS — this is what a BYOVD tool requests before terminating EDR
        IntPtr hnd = OpenProcess(0x1FFFFF, false, pid);
        if (hnd != IntPtr.Zero) {
            CloseHandle(hnd);
            return "GRANTED";
        }
        return "DENIED (error=" + Marshal.GetLastWin32Error() + ")";
    }
}
'@

# Find MsMpEng.exe (Windows Defender) — the canonical EDR bypass target
$securityProcs = @('MsMpEng', 'SentinelAgent', 'CSFalconService', 'SophosFileScanner', 'CylanceSvc')
$found = $false
foreach ($procName in $securityProcs) {
    $proc = Get-Process -Name $procName -ErrorAction SilentlyContinue | Select-Object -First 1
    if ($proc) {
        $result = [ProcessAccess]::TryOpen($proc.Id)
        Write-Ok "OpenProcess($procName PID $($proc.Id), PROCESS_ALL_ACCESS): $result"
        Write-Ok "Sysmon EID 10 generated (access logged regardless of grant/deny)"
        $found = $true
        break
    }
}
if (-not $found) {
    Write-Warn "No security process found running. Sysmon EID 10 not generated for this step."
    Write-Warn "Ensure Windows Defender (MsMpEng.exe) is running, or run on a host with EDR."
}

Start-Sleep -Milliseconds 500

if (-not $SkipServiceStop) {
    Write-Step "Step 2/3 — Stopping and disabling WinDefend service (sc.exe)"
    Write-Verbose "  Process: sc.exe — same tool used by all major ransomware operators"
    Write-Warn "Attempting to stop WinDefend. Use -SkipServiceStop to skip."
    Write-Warn "Re-enable after testing: sc start WinDefend"

    # Stop
    $stopResult = sc.exe stop WinDefend 2>&1
    Write-Ok "sc stop WinDefend: $stopResult"

    Start-Sleep -Milliseconds 500

    # Disable (generates EID 7040 - start type change)
    $disableResult = sc.exe config WinDefend start= disabled 2>&1
    Write-Ok "sc config WinDefend start=disabled: $disableResult"

    Start-Sleep -Milliseconds 500

    # Re-enable immediately (lab safety)
    sc.exe config WinDefend start= auto 2>&1 | Out-Null
    sc.exe start WinDefend 2>&1 | Out-Null
    Write-Ok "WinDefend re-enabled (start=auto, service restarted)"
} else {
    Write-Warn "Step 2 skipped (-SkipServiceStop)"
    Write-Warn "To test Hunt/Analyst rules without modifying Defender, check existing EID 7036 logs."
}

Start-Sleep -Milliseconds 300

Write-Step "Step 3/3 — Installing test service to simulate driver load telemetry"
Write-Verbose "  Note: EID 6 requires an actual kernel driver (.sys) with NtLoadDriver"
Write-Verbose "  This step generates the SCM service install event without loading kernel code"
Write-Warn "For EID 6 (actual driver load), use a signed test driver in an isolated VM."
Write-Warn "See: https://github.com/fengjixuchui/TestKrnlDrv for safe test drivers"

if ($isAdmin) {
    # Create a harmless service pointing to a non-existent driver path
    # This generates WEL 7045 (Service Installed) without actually loading a driver
    $svcResult = sc.exe create EDRBypassTestSvc `
        binPath= "C:\Windows\Temp\testdrv_emulation.sys" `
        type= kernel start= demand displayname= "EDR Bypass Test Service" 2>&1
    Write-Ok "sc create EDRBypassTestSvc (kernel type): $svcResult"
    Write-Ok "WEL 7045 (Service Installed, type=kernel) generated — Research rule context"

    # Clean up immediately
    sc.exe delete EDRBypassTestSvc 2>&1 | Out-Null
    Write-Ok "Test service removed"
} else {
    Write-Warn "Step 3 skipped — Administrator required for service creation"
}

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 6 (driver load) — requires real .sys; WEL 7045 as proxy" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      Sysmon EID 10 (security process handle) + service/driver activity"   -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 10 + WEL 7036 (service stopped) + WEL 7040 (start type changed)" -ForegroundColor DarkGreen
Write-Host ""
Write-Host "For full EID 6 fidelity:" -ForegroundColor DarkGray
Write-Host "  1. Use an isolated VM with a test-signed kernel driver"
Write-Host "  2. sc create <svc> binPath=<driver.sys> type=kernel"
Write-Host "  3. sc start <svc>  (generates Sysmon EID 6)"
Write-Host "  4. Follow immediately with sc stop <security-service> for full Hunt/Analyst chain"
Write-Host ""

OSINT Sources

VirusTotal Intelligence tag:byovd positives:0

Requires VT Intelligence subscription. Finds BYOVD samples with zero AV detections — the most dangerous current variants. Pivot to the behavior tab to extract the specific driver filename, hash, and kernel callback manipulation sequence.

GitHub Code Search "PsSetCreateProcessNotifyRoutine" OR "ObRegisterCallbacks" path:*.c OR path:*.cpp

Finds kernel driver source code interacting with process notification callbacks — the primary mechanism BYOVD tools manipulate. Monitor for new public tools targeting these APIs.

GitHub Code Search "EtwEventWrite" "0xC3" path:*.c OR path:*.asm

Finds ETW patching implementations targeting EtwEventWrite with a RET opcode. New variants appear regularly; use to track new ETW bypass techniques before they reach production campaigns.

LOLDrivers

Community-maintained catalog of known vulnerable (BYOVD) and malicious drivers with hashes, CVE references, and detection guidance. Feed driver hashes from this list into Sysmon EID 6 detection rules and your EDR's driver blocklist. Updated regularly as new BYOVD tools emerge. Filter by 'Type: Vulnerable' for BYOVD drivers; 'Type: Malicious' for purpose-built EDR killers like EDRKillShifter. Essential complement to Microsoft's Vulnerable Driver Blocklist, which lags behind community discovery.

Intel Resources

• Wavestone — EDRSandblast — Open-source tool demonstrating kernel callback removal via vulnerable driver; includes 1000+ driver knowledge base and detection of which EDR callbacks are registered; essential reference for defenders building callback-monitoring detection
• MITRE ATT&CK — T1562.001 Impair Defenses: Disable or Modify Tools — Primary technique definition covering BYOVD, process termination, and service stop as EDR impairment methods; procedure examples link to known threat actor usage
• MITRE ATT&CK — T1562.006 Impair Defenses: Indicator Blocking — Technique definition covering ETW patching, AMSI bypass, and other telemetry-blocking methods; distinct from process termination — attacker keeps EDR running but blinds it
• Microsoft — Vulnerable Driver Blocklist — The authoritative list of drivers known to be abused in BYOVD attacks; updated multiple times per year; use as a hash and cert blocklist for Sysmon EID 6 detection rules

Related Chokepoints

Ransomware Service Manipulation CRITICAL