Gartner Hype Cycle for AI and Cybersecurity
Why Cynet
Our Valued Partners
Industry Validation
Platform
Solutions
Prevent, detect, and remediate threats automatically.
Detect and isolate suspicious traffic instantly.
Identify misconfigurations and risks before attackers do.
Block phishing and malicious attachments.
Extend protection to every device.
Stop credential theft and lateral movement.
Pre-built playbooks and automated workflows that reduce manual effort.
Partners
Resources
Resource Center
Company
Why Cynet
Our Valued Partners
Industry Validation
Platform
Solutions
Prevent, detect, and remediate threats automatically.
Detect and isolate suspicious traffic instantly.
Identify misconfigurations and risks before attackers do.
Block phishing and malicious attachments.
Extend protection to every device.
Stop credential theft and lateral movement.
Pre-built playbooks and automated workflows that reduce manual effort.
Partners
Resources
Resource Center
Company
By: Cynet Research Labs
Bring Your Own Vulnerable Driver (BYOVD) has become one of the most observed techniques for obtaining privileged kernel access during modern cyber intrusions. Rather than finding a new vulnerability, threat actors abuse legitimately signed but vulnerable drivers that the operating system already trusts. By abusing functionality exposed by these vulnerable drivers, they obtain powerful kernel capabilities without finding new vulnerabilities or being affected by patches, making advanced defense evasion techniques more practical and repeatable.
Cynet Research and CyOps teams have observed BYOVD being adopted with increasing frequency, particularly by ransomware operators. Across these investigations, a consistent operational pattern emerges threat actors attempt to establish privileged kernel access early in the intrusion to reduce the complexity of the stages that follow.
Although BYOVD is not a new technique, its continued adoption has fundamentally changed the economics of modern attacks. Instead of investing in sophisticated kernel exploitation, threat actors increasingly rely on publicly available vulnerable drivers to obtain reusable kernel primitives that simplify privilege escalation, defense evasion, and interaction with protected Windows security mechanisms.
So, what is the normal path Windows uses when an application talks to the kernel? BYOVD does not rely on a hidden back door. It abuses that ordinary, trusted communication path.

The Driver: A driver is a software component that enables Windows to communicate with hardware and low-level operating system services. Many drivers run in kernel mode, where code executes significantly greater privileges than a normal user-mode application. Kernel code can reach memory, processes, and security controls that user-mode code cannot. That is why a driver bug, or an unsafe driver interface, can affect the whole system, not just one app.
Device Object: Windows exposes a driver through a device object: a kernel object that represents the driver as something applications can connect to. The driver often publishes a user-visible name such as \\.\MyDriver. That name is the communication endpoint through which applications send requests to the driver.
IRP (Input/Output Request Packet): An IRP is a kernel data structure created by the Windows I/O Manager to represent an input/output request as it travels through the driver stack. When an application calls DeviceIoControl, Windows packages the request into an IRP containing information such as the requested operation, the associated buffers, the originating process, and the status of the request. The IRP is then delivered to the driver’s dispatch routine, which processes the request and eventually completes it with success or error status. Because the IRP carries both caller-controlled data and kernel-managed metadata, the driver must interpret its contents carefully and validate all relevant fields before performing privileged operations.
IOCTL (Input/Output Control): An IOCTL is a structured request sent from a user-mode application to a driver by calling DeviceIoControl. Each request contains many fields; some of the interesting fields are:
In a well-designed driver, each IOCTL performs a narrowly defined task, and sensitive operations are carefully validated before execution. Problems arise when a driver exposes privileged functionality to untrusted callers or fails to validate the request, the caller, or the supplied data.
The Dispatcher: Inside the driver, incoming IOCTLs are routed by a dispatcher, typically the handler for IRP_MJ_DEVICE_CONTROL. The dispatcher reads the control code and decides which internal function should run, like a switchboard connecting a request to the right handler.
The dispatch routine is responsible for validating every request before executing privileged operations. It verifies that the requested IOCTL is permitted, that the supplied buffers are valid, and that the request originates from an authorized caller. When these validation checks are incomplete or incorrect, functionality intended only for trusted kernel code may become accessible through the driver’s IOCTL interface.
Every BYOVD attack ultimately depends on this execution path. Rather than exploiting a new interface, threat actors abuse the same trusted communication path used by legitimate applications, turning it into a reusable attack vector.
The driver is not malware by design. It is real, trusted software, often from a hardware vendor or security product with a normal device object and a normal IOCTL interface. Threat actors do not need to exploit Windows itself. They load that driver, open a handle to its device, and send IOCTLs through the same API any legitimate application would use.
The failure mode is specific:
BYOVD is not the installation of a malicious driver. It is the abuse of a legitimate driver’s vulnerable IOCTL interface, allowing untrusted user-mode input to reach privileged kernel functionality that Windows intended only for trusted kernel code.
Understanding how BYOVD works explains only part of the story. The more important question is why it has become an increasingly common technique in modern threat campaigns.
As endpoint protection has become more effective, threat actors have increasingly adopted techniques that reduce operational complexity rather than relying solely on more sophisticated evasion methods. Without privileged kernel access, an intrusion must remain cautious and deliberate. Threat actors are forced to work around endpoint protection, behavioral detections, protected processes, kernel callbacks, and security telemetry while minimizing opportunities for defenders to detect and disrupt their activity. Every additional action increase both operational complexity and the likelihood of detection.
BYOVD fundamentally changes that equation. Once kernel-level access has been established, much of the security stack that previously constrained the intrusion no longer operates in the same way. Rather than spending time continuously working around defensive controls, threat actors can focus on progressing toward their objectives.
Importantly, BYOVD does not eliminate detection; it changes where detection occurs. Mature security teams monitor more than behavioral alerts. They also monitor endpoint health, telemetry flow, and security agent heartbeat. When those signals stop or degrade unexpectedly, the loss of visibility becomes an indicator. BYOVD therefore compresses the attack into a limited operational window. Threat actors must achieve their objectives before defenders investigate the telemetry gap and begin containment.

For defenders, the implication is straightforward. None of these kernel-level capabilities become available until the vulnerable driver has been successfully loaded by Windows. That makes the driver load itself one of the earliest and most valuable opportunities to detect, prevent, and disrupt the attack before it accelerates into its later stages.
The previous section explained why BYOVD has become an increasingly common technique in modern threat campaigns. The next question is what threat actors gain once a vulnerable driver has been successfully loaded into the Windows kernel.
Once kernel access has been established, the focus shifts from obtaining privileged execution to using the kernel capabilities that support the remainder of the intrusion.
The importance of these operational objectives becomes clear during real incident response investigations. The following case study demonstrates how this operational workflow appeared during a real-world BYOVD intrusion investigated by the Cynet Research and CyOps teams, and how preventing the vulnerable driver from loading interrupted the attack before those capabilities became available.
In the engagements involving BYOVD based intrusions investigated by Cynet, threat actors typically established privileged kernel access after obtaining hands-on-keyboard (HOK) access to a compromised endpoint. Rather than immediately progressing ransomware deployment or other post-compromise activity, they first attempt to introduce a vulnerable Windows driver, establish kernel-level execution, and only then continue with the remainder of the intrusion.
One investigation involved the Gentlemen ransomware operation. After establishing HOK access through Remote Desktop Protocol (RDP), the operators transferred multiple variants of the Microsoft-signed PoisonX vulnerable driver to the compromised endpoints. The driver files were observed being staged in the compromised user Downloads directory before the creation of a Windows service used to prepare the driver for kernel loading.

Investigation Outcome
Cynet detected and prevented the attempted driver from loading before the newly created service could establish privileged kernel execution. Interrupting the intrusion at this stage preserved endpoint visibility and prevented the kernel primitives required to weaken security controls before ransomware deployment from becoming available.
Because the vulnerable driver never loaded, telemetry remained intact throughout the investigation. The Cynet platform continued collecting endpoint telemetry while the CyOps team correlated the attempted BYOVD activity with the broader intrusion, validated the threat actor’s objectives, and initiated response actions, including endpoint isolation where appropriate.
To understand why PoisonX provided an effective BYOVD primitive during this intrusion, it is useful to examine how the driver exposes privileged functionality after being loaded into the Windows kernel.
Why PoisonX?
PoisonX illustrates why vulnerable drivers continue to appear in modern ransomware operations.
Like many vulnerable drivers used in BYOVD operations, PoisonX follows the standard Windows driver’s communication model. After the driver is loaded by the kernel, it exposes a user-mode device interface that allows an application to communicate with the kernel through DeviceIoControl. Requests are received by the driver’s IRP_MJ_DEVICE_CONTROL dispatch routine, where a vulnerable IOCTL handler processes user-supplied input before invoking privileged kernel functionality.
The important observation is not the specific implementation of PoisonX, but the architectural pattern it represents. Rather than exploiting Windows kernel vulnerability, the threat actors abuse a legitimate driver that exposes privileged functionality through an unsafe IOCTL interface, transforming a trusted signed driver into a reusable kernel primitive. This same architectural pattern has been observed across numerous publicly documented vulnerable drivers used in modern BYOVD campaigns.
Reverse Engineering Summary

Reverse engineering of PoisonX samples shows a predictable internal chain:
1. User-mode requests reach the driver’s IRP_MJ_DEVICE_CONTROL

2. A vulnerable IOCTL handler processes application-supplied input before invoking privileged kernel functionality.

3. Ring 0 kill routine: the driver opens the target process from kernel mode with broad access (PROCESS_ALL_ACCESS semantics) and terminates it with ZwTerminateProcess.

Why this mattered in the investigation
PoisonX is significant not because it is unusually sophisticated, but because it transforms a trusted signed driver into a reusable kernel primitive. Had the driver loaded successfully, the threat actors would have obtained the kernel capabilities required to weaken endpoint protections before ransomware deployment.
In this engagement, Cynet detected and prevented the driver from loading before kernel execution was established. That interruption preserved endpoint telemetry, prevented the loss of visibility that typically precedes defense impairment, and enabled the CyOps team to investigate and contain the intrusion before the attack progressed further.
Research Observation
Across multiple Cynet incident response engagements a consistent operational pattern emerged. Regardless of the ransomware family or vulnerable driver involved, threat actors repeatedly attempted to establish privileged kernel access before disabling security controls or progressing ransomware deployment.
Although different campaigns leveraged different legitimately signed vulnerable drivers, including PoisonX, GoFly, CcProtect, and UnknownKiller, the objective remained consistent: to obtain reusable kernel capabilities that simplify defense evasion and accelerate the remainder of the intrusion. Rather than treating individual vulnerable drivers as isolated indicators, defenders should recognize BYOVD as a recurring stage within a broader attack workflow. Identifying and interrupting this stage provides an opportunity to preserve endpoint visibility and contain the intrusion before threat actors gain kernel-level control.
Bring Your Own Vulnerable Driver (BYOVD) has evolved from a niche post-exploitation technique into a practical and repeatable component of modern ransomware operations. Rather than investing in sophisticated kernel exploits, modern ransomware operators increasingly abuse legitimately signed but vulnerable drivers to obtain privileged kernel capabilities that simplify privilege escalation, defense evasion, and interaction with protected Windows security mechanisms.
This research demonstrates that BYOVD is not defined by any single vulnerable driver. Rather the technique is characterized by a repeatable operational workflow:
Although the vulnerable driver may differ between campaigns, the operational workflow remains remarkably consistent, providing defenders with a reliable opportunity to detect and interrupt the intrusion before kernel-level capabilities become available.
As BYOVD adoption continues to increase, organizations should treat vulnerable driver abuse as an early-stage intrusion indicator rather than an isolated event. Detecting driver loading, monitoring service creation, and preserving endpoint telemetry provide defenders with an opportunity to interrupt the intrusion before threat actors obtain the kernel capabilities that enable defense impairment and accelerate ransomware deployment.
Files
| File | SHA256 Hash |
|---|---|
| C:\Users\{User}\Downloads\PoisonX3.sys | 4948e89b532804590490aaae41f4b582a89592c931e557b6ddfff0b8d6ee8cf5 |
| C:\Users\{User}\Downloads\PoisonX4.sys | 83DB6A37D9EC9923CA2AA677B4F4D8B67C8B2468046D21136A57FFE92EBA6CAC |
| C:\Users\{User}\Downloads\PoisonX10.sys | D58DF93524EAD1A1F939438EF63B5A9E42AACEC7463ED29878293382996640CE |
| C:\Windows\System32\CcProtect.sys | 5f0cfe8357bb52b45068ddbac053e32bc38e6cb5e086746f5402657b0a5cfb1c |
| C:\Windows\System32\eb.sys | 97bd65e98cdc4e93d49edd4ea905d43a61244df0fd3323e6649330de3b1be091 |
| C:\Windows\System32\ly64.sys | 2fdfdd13a0c548bb68c9d5aa8599a9265d4659da3e237fe7a42ac6ac06b9a06a |
Registry Keys:
| Key | Subkey | Value |
|---|---|---|
| HKLM\SYSTEM\CurrentControlSet\Services | PoisonX | Any values |
MITRE Mapping
| Technique | Description |
|---|---|
| T1021.001 | Remote Services: Remote Desktop Protocol |
| T1543.003 | Create or Modify System Process: Windows Service |
| T1562.001 | Impair Defenses: Disable or Modify Security Tools |
| T1068 | Exploitation for Privilege Escalation |
Looking for a powerful, cost effective XDR solution?
Search results for: