Back to Intelligence

BYOVD Threat Mitigation: Detecting EDR-Killer Drivers (CVE-2019-16098, CVE-2021-21551)

SA
Security Arsenal Team
April 18, 2026
6 min read

The "Bring Your Own Vulnerable Driver" (BYOVD) attack vector has graduated from a proof-of-concept to a staple in the arsenal of sophisticated threat actors. Recent intelligence indicates a concerning expansion in the "EDR-Killer" ecosystem, with malware families like AuKill, Terminator, and Malware actively abusing signed, vulnerable drivers to disable endpoint detection and response (EDR) solutions.

For defenders, this is a critical escalation. When an adversary loads a kernel-level driver, they effectively bypass user-mode security controls, terminate anti-tamper protections, and gain the ability to manipulate system memory freely. This is often the precursor to ransomware deployment or credential theft. We cannot treat this as merely a vulnerability management issue; it is an operational security emergency requiring immediate detection and hardening.

Technical Analysis

The core mechanic of BYOVD involves the attacker dropping a legitimate, digitally signed driver—often extracted from a legitimate software installer—onto a compromised system. These drivers contain known vulnerabilities (CVEs) that allow arbitrary read/write operations in kernel memory.

Affected Components and CVEs

While the specific EDR killer tool varies, the underlying abused drivers remain consistent. The most frequently targeted drivers include:

  • RTCore64.sys (MSI Afterburner): Vulnerable to CVE-2019-16098. This driver allows arbitrary IOCTL calls that can manipulate kernel memory, commonly used to kill protected processes.
  • DBUtil_2_3.sys (Dell): Vulnerable to CVE-2021-21551. A severe memory corruption vulnerability exploited to elevate privileges and disable security callbacks.
  • AswArPot.sys (Avast): Targeted by the "AuKill" tool. While the specific CVE is often tied to older versions of the anti-rootkit driver, the abuse vector involves leveraging its kernel privileges to kill processes.
  • mhyprot2.sys (Genshin Impact anti-cheat): Abused for its extensive kernel access.

Attack Chain

  1. Initial Access: Via phishing, exploit, or valid credentials.
  2. Payload Staging: The attacker drops a copy of the vulnerable signed driver (e.g., RTCore64.sys) to disk, often in C:\Windows\Temp\ or a user directory.
  3. Service Creation: The attacker uses sc.exe or the Windows Service API to create a new kernel-mode service pointing to the malicious driver.
  4. Exploitation: The service starts, loading the driver into Ring 0. The malware interacts with the driver via specific IOCTL codes to patch the kernel or terminate security processes (EDR agents).

Exploitation Status

These vulnerabilities are not theoretical. They are "in-the-wild" and actively exploited by ransomware operators (e.g., LockBit, Medusa) and commodity malware. While vendors like Dell and MSI have patched these drivers in their own software updates, the vulnerable .sys files persist in the wild and are being bundled into attack kits.

Detection & Response

Detecting BYOVD requires a shift in mindset. We are not just looking for malicious files; we are looking for the abuse of legitimate files. The most reliable detection pivot is the service creation of a driver by a non-administrative process or the loading of a driver that does not belong to the standard OS or authorized vendor set.

Sigma Rules

YAML
---
title: EDR Killer - Service Creation via Known Vulnerable Driver
id: 4a8f2c19-9e0b-4c6d-9c2a-1a5f8e9b0c1d
status: experimental
description: Detects the creation of a Windows service utilizing known BYOVD-vulnerable drivers (RTCore64, DBUtil, mhyprot2) often used in EDR killer tools.
references:
  - https://www.darkreading.com/vulnerabilities-threats/edr-killer-ecosystem-expansion-requires-stronger-byovd-defenses
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\sc.exe'
    CommandLine|contains: 'create'
    CommandLine|contains:
      - 'RTCore64.sys'
      - 'dbutil_2_3.sys'
      - 'mhyprot2.sys'
      - 'aswArPot.sys'
  condition: selection
falsepositives:
  - Legitimate installation of MSI Afterburner or Dell utilities (rare in enterprise envs)
level: critical
---
title: EDR Killer - Loading of Known Vulnerable Drivers
id: 5b9g3d20-0f1c-5d7e-0d3b-2b6g9f0c1d2e
status: experimental
description: Detects the loading of known vulnerable drivers commonly abused in BYOVD attacks. Note: Requires Sysmon or comparable driver logging.
references:
  - https://www.darkreading.com/vulnerabilities-threats/edr-killer-ecosystem-expansion-requires-stronger-byovd-defenses
author: Security Arsenal
date: 2024/10/24
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    Loaded|endswith:
      - '\RTCore64.sys'
      - '\dbutil_2_3.sys'
      - '\mhyprot2.sys'
      - '\aswArPot.sys'
      - '\DBUtil_2_3.sys'
  condition: selection
falsepositives:
  - Legitimate use of MSI Afterburner or Dell Support Assist
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for BYOVD drivers loaded into kernel memory
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where FolderPath endswith ".sys"
| where FileName has_any ("RTCore64.sys", "dbutil_2_3.sys", "aswArPot.sys", "mhyprot2.sys")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, FolderPath, SHA1
| extend Tactic = "BYOVD / EDR Evasion"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for known vulnerable drivers on the filesystem
SELECT FullPath, Size, Mtime
FROM glob(globs='C:\Windows\System32\drivers\*.sys')
WHERE Name =~ 'RTCore64.sys'
   OR Name =~ 'dbutil_2_3.sys'
   OR Name =~ 'mhyprot2.sys'
   OR Name =~ 'aswArPot.sys'

Remediation Script (PowerShell)

PowerShell
# Check for presence of known vulnerable drivers in standard directories
$vulnerableDrivers = @("RTCore64.sys", "dbutil_2_3.sys", "aswArPot.sys", "mhyprot2.sys")
$driverPath = "$env:SystemRoot\System32\drivers"

Write-Host "[+] Checking for vulnerable BYOVD drivers..."

foreach ($driver in $vulnerableDrivers) {
    $fullPath = Join-Path -Path $driverPath -ChildPath $driver
    if (Test-Path $fullPath) {
        Write-Host "[!] FOUND VULNERABLE DRIVER: $fullPath" -ForegroundColor Red
        # Optional: Remove the file if you are certain it is not needed by legitimate software
        # Remove-Item -Path $fullPath -Force
    } else {
        Write-Host "[-] $driver not found in driver directory." -ForegroundColor Green
    }
}

# Check HVCI (Hypervisor-Protected Code Integrity) Status
$ci = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
Write-Host "[+] SecurityConfigured: $($ci.SecurityConfigured)"
Write-Host "[+] SecurityServicesConfigured: $($ci.SecurityServicesConfigured)"

if ($ci.SecurityServicesConfigured -band 1) {
    Write-Host "[+] HVCI (Memory Integrity) is ENABLED." -ForegroundColor Green
} else {
    Write-Host "[!] HVCI (Memory Integrity) is DISABLED. Enable it to mitigate BYOVD." -ForegroundColor Yellow
}

Remediation

Relying solely on detection is dangerous against kernel-level threats. You must assume that some BYOVD attempts will bypass initial detection. A layered defense is required.

  1. Enable HVCI (Memory Integrity): This is the single most effective control. HVCI uses virtualization-based security (VBS) to ensure only signed, trustworthy code can execute in kernel memory. Most vulnerable BYOVD drivers cannot load if HVCI is strictly enforced.

    • Action: Enable "Memory Integrity" in Windows Security > Device Security > Core isolation details via Group Policy or Intune.

  2. Enforce the Microsoft Vulnerable Driver Blocklist: Microsoft maintains a list of drivers known to be abused.

    • Action: Deploy the "Blocklist" via Intune (Endpoint Security > Attack Surface Reduction > Rules) or Group Policy. Ensure the policy is set to "Enabled" and configured to block the Microsoft Driver Blocklist.

  3. Driver Signature Enforcement: Ensure systems are configured to block drivers with invalid signatures or those that have been revoked.

    • Action: Verify HKLM\SYSTEM\CurrentControlSet\Control\CI\Config registry settings align with your organizational security baseline.

  4. Patch Management: While the drivers abused (like RTCore64) are old, they persist because they are part of user-installed software (utilities, games).

    • Action: Identify and ban software installers that bundle these drivers via AppLocker or WDAC policies.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringbyovdedr-evasionwindows-kernelcve-2019-16098

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action