A critical shift in the threat landscape has emerged with the active exploitation of a malicious kernel driver that was erroneously signed by Microsoft. Dubbed the "GodDamn" incident by researchers, this campaign utilizes a Bring Your Own Vulnerable Driver (BYOVD) technique to achieve kernel-level code execution. By leveraging a legitimate Microsoft signature, the attackers bypass Driver Signature Enforcement (DSE), load a malicious payload into the kernel, and forcibly terminate Endpoint Detection and Response (EDR) and antivirus processes. This creates a window of opportunity to deploy encryption-based payloads without interference. For defenders, this represents a significant failure of trust in the driver supply chain and requires immediate updates to detection logic and endpoint configurations.
Technical Analysis
Affected Products and Platforms
- Platform: Windows 10, Windows 11, and Windows Server environments where kernel drivers can be loaded.
- Vector: Malicious Kernel Driver (Microsoft-signed).
Attack Chain and Exploitation Mechanism
- Initial Access: The threat actor gains initial access through standard vectors (phishing, exposed services, or valid credentials).
- Driver Deployment: The attacker drops a malicious kernel driver file (
.sys) onto the disk. Because this driver was signed by Microsoft, it passes standard integrity checks and is loaded by the OS. - Kernel-Level Execution: Once loaded, the driver runs in Ring 0 (kernel mode). The driver utilizes kernel-mode APIs to manipulate system structures.
- Security Software Termination (The Kill Switch): The driver specifically targets security software processes (e.g.,
MsMpEng.exe,svchost.exehosting AV services, or third-party EDR agents). By operating in the kernel, the driver can terminate these protected processes that user-mode malware cannot easily kill. - Payload Execution: With defenses neutralized, the "GodDamn" ransomware payload executes, encrypting files on the host.
Exploitation Status
- Status: Confirmed Active Exploitation.
- Technique: BYOVD (Bring Your Own Vulnerable Driver) leveraging a misappropriated valid signature.
CVE Identifiers
- No specific CVE identifier is associated with this specific news item. The issue stems from a supply chain/control failure in the driver signing process rather than a software buffer overflow in the traditional sense.
Detection & Response
Given that the driver possesses a valid signature, traditional signature-based detection of the driver file itself is ineffective until Microsoft revokes the certificate. Detection must focus on the behavioral aspects of the attack: the loading of the driver and the subsequent termination of security processes.
SIGMA Rules
---
title: Potential 'GodDamn' Ransomware Process Execution
id: 8c4d21e9-9a12-4f78-8b3a-1d2f3c4b5e6a
status: experimental
description: Detects the execution of processes associated with the 'GodDamn' encryption-based incident.
references:
- https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\goddamn.exe'
- '\encrypt.exe'
or OriginalFileName:
- 'goddamn.exe'
condition: selection
falsepositives:
- Unlikely, highly specific naming convention
level: critical
---
title: Suspicious Service Creation of Kernel Driver (BYOVD Indicator)
id: 9d5e32f0-0b23-4e89-9c4d-1e2f3a4b5c6d
status: experimental
description: Detects the creation of a kernel-mode driver service via sc.exe or PowerShell, a common step in BYOVD attacks.
references:
- https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
author: Security Arsenal
date: 2026/04/06
tags:
- attack.privilege_escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith:
- '\sc.exe'
CommandLine|contains:
- 'create'
- 'type= kernel'
selection_ps:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'New-Service'
- 'Kernel'
condition: 1 of selection_*
falsepositives:
- Legitimate installation of hardware drivers or VPN software
level: medium
---
title: Termination of Security Processes via Driver/Kernel Context
id: a1f4c5e6-2b3d-4e5f-8a7b-9c0d1e2f3a4b
status: experimental
description: Detects the termination of critical security processes which may indicate a kernel-level kill switch used in BYOVD attacks.
references:
- https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
author: Security Arsenal
date: 2026/04/06
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_termination
product: windows
detection:
selection:
TargetImage|endswith:
- '\MsMpEng.exe'
- '\SenseCncProxy.exe'
- '\cb.exe'
- '\DsAgent.exe'
- '\360sd.exe'
SourceImage|endswith:
- '\System'
- '\services.exe'
- '\lsass.exe'
condition: selection
falsepositives:
- Rare, usually indicates system crash or legitimate service restart
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for 'GodDamn' ransomware processes and unusual driver loading behavior
let ProcessList = dynamic(['MsMpEng.exe', 'SenseCncProxy.exe', 'cb.exe', 'DsAgent.exe']);
DeviceProcessEvents
| where Timestamp > ago(7d)
// 1. Direct detection of the named threat
| where FileName in~ ('goddamn.exe', 'encrypt.exe')
| union (
DeviceProcessEvents
// 2. Detection of service creation for kernel drivers (BYOVD)
| where ProcessVersionInfoOriginalFileName == "sc.exe" or FileName == "sc.exe"
| where ProcessCommandLine has "create" and ProcessCommandLine has "kernel"
)
| union (
DeviceProcessEvents
// 3. Detection of security process termination
| where ActionType in ("ProcessTerminated", "TaskKill")
| where FileName in~ ProcessList
| extend TerminatedBy = InitiatingProcessFileName
)
| project Timestamp, DeviceName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc
Velociraptor VQL
-- Hunt for 'GodDamn' ransomware artifacts and Kernel Mode drivers
-- 1. Hunt for the specific ransomware executable
SELECT Pid, Name, Exe, Cmdline, Username
FROM pslist()
WHERE Name =~ 'goddamn'
OR Exe =~ 'goddamn'
-- 2. Hunt for drivers loaded from non-standard paths (User profile or Temp)
-- BYOVD often drops drivers in temp directories before loading
SELECT Name, DeviceName, ImagePath, Company, Signed
FROM drivers()
WHERE NOT ImagePath =~ C:\Windows\System32\drivers\
AND NOT ImagePath =~ C:\Windows\System32\DriverStore\
Remediation Script (PowerShell)
<#
.SYNOPSIS
Hardens endpoints against BYOVD attacks and checks for 'GodDamn' indicators.
.DESCRIPTION
This script enables the Microsoft Vulnerable Driver Blocklist, which is the
primary defense against the mis-signed driver used in the 'GodDamn' incident.
It also scans for the presence of the ransomware process.
#>
Write-Host "[+] Checking for 'GodDamn' ransomware processes..."
$maliciousProcesses = Get-Process | Where-Object { $_.ProcessName -like '*goddamn*' -or $_.ProcessName -like '*encrypt*' }
if ($maliciousProcesses) {
Write-Host "[!] THREAT DETECTED: Malicious process found. Terminating." -ForegroundColor Red
$maliciousProcesses | Stop-Process -Force
# Trigger incident response workflow here
} else {
Write-Host "[+] No malicious processes detected." -ForegroundColor Green
}
Write-Host "[+] Configuring Vulnerable Driver Blocklist (Memory Integrity)..."
try {
# Check current status
$ci = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -ErrorAction SilentlyContinue
if ($ci -and $ci.Enabled -eq 1) {
Write-Host "[+] Vulnerable Driver Blocklist is already enabled." -ForegroundColor Green
} else {
# Enable Memory Integrity (requires reboot)
if (-not (Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity")) {
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Force | Out-Null
}
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Type DWord
Write-Host "[+] Vulnerable Driver Blocklist enabled. A system reboot is required to apply changes." -ForegroundColor Cyan
}
} catch {
Write-Host "[-] Error configuring registry: $_" -ForegroundColor Red
}
Write-Host "[+] Verifying Windows Update status for latest security intelligence..."
# Ensure system is up to date to receive the latest driver blocklist revocations
$wuSession = New-Object -ComObject Microsoft.Update.Session
$wuSearcher = $wuSession.CreateUpdateSearcher()
$wuResult = $wuSearcher.Search("IsInstalled=0 and Type='Software' and IsHidden=0")
if ($wuResult.Updates.Count -gt 0) {
Write-Host "[!] Important updates are pending. Please patch immediately." -ForegroundColor Yellow
} else {
Write-Host "[+] System appears up to date." -ForegroundColor Green
}
Remediation
To neutralize the threat posed by this Microsoft-signed driver and the "GodDamn" ransomware, organizations must take the following immediate steps:
-
Enable the Vulnerable Driver Blocklist: Microsoft maintains a list of drivers that have been used in BYOVD attacks. The most effective remediation is to ensure the "Vulnerable Driver Blocklist" feature is enabled. This can be done via the Windows Security app under "Device security" > "Core isolation details" > "Memory integrity", or via the PowerShell script provided above. Ensure the policy
HVCISIG_POLICYis enforced via Intune or Group Policy. -
Patch Management: Although the driver itself is signed, Microsoft will release updates to Windows Update that add the specific hash of this malicious driver to the OS blocklist. Apply all critical Windows updates immediately to ensure the revocation list is current.
-
ASR Rules Configuration: Enable the Microsoft Defender Attack Surface Reduction (ASR) rule: "Block abuse of exploited vulnerable signed drivers" (Rule ID
56a863a9-875e-4185-98a7-b882c64b5ce5). This specifically targets the BYOVD technique. -
Investigate Driver Logs: Review Sysmon Event ID 6 (Driver Loaded) logs. Look for drivers loaded from temporary directories (
C:\Users\...\AppData\Local\Temp) or unexpected paths, even if they are signed. While the signature is valid, the source location is often anomalous. -
Driver Signing Policy Hardening: Where hardware allows, consider enforcing the strictest driver signing policies. However, in this specific case, because the driver is signed by a trusted authority (Microsoft), only the revocation/blocklist methods (steps 1 and 3) are effective.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.