Back to Intelligence

How to Protect Against the Warlock Group's BYOVD Ransomware Tactics

SA
Security Arsenal Team
March 30, 2026
5 min read

Introduction

The cybersecurity landscape is constantly evolving, and recent reports from threat intelligence researchers highlight a concerning shift in attacker behavior. The Warlock ransomware group, known for encryption-based cyber incidents, has augmented its post-exploitation activities to be significantly stealthier. By leveraging a "Bring Your Own Vulnerable Driver" (BYOVD) technique, the group can bypass standard security controls, move laterally across networks with greater ease, and evade detection. For defenders, understanding this mechanism is critical because it represents a direct attack on the kernel layer of the operating system, where traditional Endpoint Detection and Response (EDR) tools often operate.

Technical Analysis

The core of the new Warlock activity revolves around the BYOVD technique. In this scenario, threat actors bring a legitimate, yet vulnerable, third-party driver file (often signed with a valid certificate) onto a targeted machine. They exploit known vulnerabilities in that driver to load malicious code into the Windows kernel.

  • Affected Systems: Windows environments where users have local administrator privileges or where drivers can be loaded without strict verification.
  • Severity: High. This technique allows attackers to disable security solutions (EDR/AV) and manipulate system memory at the kernel level (Ring 0).
  • Mechanism: Once the vulnerable driver is loaded, the group uses it to kill security processes, enabling cross-network movement and data theft before the ransomware payload is deployed.
  • Patch/Fix Details: While the specific drivers used in BYOVD attacks vary (often anti-cheat or old hardware drivers), the primary defense is Microsoft's "Driver Blocklist" update and ensuring Hyper-V Code Integrity (HVCI) is enabled.

Defensive Monitoring

Detecting BYOVD attacks requires looking for anomalies in driver loading and process termination events. Below are SIGMA rules, KQL queries, and VQL artifacts to help your SOC hunt for these threats.

SIGMA Rules

YAML
---
title: Potential BYOVD Vulnerable Driver Load
id: 8a4b2c1d-6e3f-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the loading of known vulnerable drivers often abused in BYOVD attacks to kill security processes.
references:
  - https://www.darkreading.com/threat-intelligence/warlock-ransomware-post-exploitation-activities
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    Signed: 'true'
    Subject|contains:
      - 'Micro-Star'
      - 'ASUSTeK'
    OriginalFilename|contains:
      - 'RTCore64.sys'
      - 'AsIO.sys'
      - 'dbutil_2_3.sys'
      - 'mhyprot2.sys'
  condition: selection
falsepositives:
  - Legitimate installation of gaming software or hardware utilities
level: high
---
title: Suspicious Termination of Security Processes
id: 9c5d3e2f-7a4b-5c6d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects attempts to terminate common security software processes, often seen in post-exploitation by ransomware groups.
references:
  - https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\taskkill.exe'
      - '\taskmgr.exe'
    CommandLine|contains:
      - '/F'
      - '/IM'
  filter_protection:
    CommandLine|contains:
      - 'sqlservr.exe'
      - 'notepad.exe'
  filter_av:
    CommandLine|contains:
      - 'csrss.exe'
      - 'lsass.exe'
      - 'svchost.exe'
  context_av:
    CommandLine|contains:
      - 'sophos'
      - 'defender'
      - 'crowdstrike'
      - 'sentinelone'
      - 'elastic'
      - 'carbon black'
  condition: selection and not filter_protection and not filter_av and context_av
falsepositives:
  - Administrators legitimately restarting security services
level: high

KQL Queries

KQL — Microsoft Sentinel / Defender
// Hunt for known vulnerable drivers loaded in kernel
DeviceEvents
| where ActionType == "DriverLoad"
| extend DriverName = tostring(Filename)
| where DriverName has "RTCore64.sys" 
   or DriverName has "AsIO.sys" 
   or DriverName has "dbutil_2_3.sys"
| project Timestamp, DeviceId, DriverName, AdditionalFields
| order by Timestamp desc

// Detect termination of security processes
ProcessEvents
| where ActionType == "Process terminated"
| extend ProcessName = tostring(Filename)
| where ProcessName in~ ("MsMpEng.exe", "CbOsSvc.exe", "SentinelAgent.exe", "SophosUI.exe", "agentservice.exe")
| project Timestamp, DeviceId, InitiatingProcessAccountName, ProcessName, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for known vulnerable drivers currently loaded
SELECT Name, Description, Company, LoadedTime
FROM drivers()
WHERE Name =~ 'RTCore64.sys' 
   OR Name =~ 'AsIO.sys'
   OR Name =~ 'dbutil_2_3.sys'
   OR Name =~ 'mhyprot2.sys'

-- Hunt for suspicious process terminations (Taskkill usage)
SELECT Pid, Name, CommandLine, Username
FROM pslist()
WHERE Name =~ 'taskkill.exe'
   AND CommandLine =~ '/F'
   AND (CommandLine =~ 'defender' 
        OR CommandLine =~ 'crowdstrike' 
        OR CommandLine =~ 'sophos' 
        OR CommandLine =~ 'sentinel')

PowerShell Verification Script

PowerShell
# Check for the presence of known vulnerable drivers in the driver store
$vulnerableDrivers = @(
    "RTCore64.sys",
    "AsIO.sys", 
    "dbutil_2_3.sys",
    "mhyprot2.sys",
    "capcom.sys"
)

$driverStorePath = "C:\Windows\System32\DriverStore\FileRepository"

if (Test-Path $driverStorePath) {
    Write-Host "Scanning Driver Store for known vulnerable drivers..." -ForegroundColor Yellow
    foreach ($driver in $vulnerableDrivers) {
        $found = Get-ChildItem -Path $driverStorePath -Recurse -Filter $driver -ErrorAction SilentlyContinue
        if ($found) {
            Write-Host "[ALERT] Found vulnerable driver: $($driver) at $($found.FullName)" -ForegroundColor Red
        } else {
            Write-Host "[OK] No trace of: $driver" -ForegroundColor Green
        }
    }
} else {
    Write-Host "Driver store path not found."
}

Remediation

To protect your organization against the Warlock group and similar BYOVD threats, implement the following remediation steps immediately:

  1. Enable Microsoft Vulnerable Driver Blocklist: Ensure the policy "MSIS 2024: Blocklist Drivers vulnerable to Bring Your Own Vulnerable Driver (BYOVD) Attacks" is enforced via Intune or Group Policy.
  2. Enable HVCI (Hypervisor-Protected Code Integrity): Turn on Memory Integrity in Windows Security (Core Isolation). This prevents the loading of vulnerable drivers by enforcing code integrity checks at the kernel level.
  3. Restrict Driver Loading: Implement Group Policy settings to prevent users (and non-administrators) from installing printer drivers or other kernel-mode components.
  4. Audit Admin Privileges: Reduce the number of local administrators on endpoints. BYOVD attacks require the ability to load a driver, which usually requires administrative rights.
  5. Update EDR Signatures: Ensure your Endpoint Detection and Response solutions are updated to specifically detect the loading of vulnerable signed drivers, not just malicious unsigned files.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

vulnerabilitycvepatchwindowsmicrosoftransomwarebyovdthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action