CrowdStrike EDR Zero-Day Allows Disabling of Security Features
Key Takeaways A zero-day “Bring Your Own Vulnerable Driver” (BYOVD) attack can disable leading endpoint detection and response (EDR) solutions, including CrowdStrike Falcon. The attack...
Key Takeaways
- A zero-day “Bring Your Own Vulnerable Driver” (BYOVD) attack can disable leading endpoint detection and response (EDR) solutions, including CrowdStrike Falcon.
- The attack leverages legitimately signed kernel drivers to bypass security features and terminate critical security processes from kernel mode.
- Over 15 variants of the malicious driver exist, all with valid Microsoft digital signatures, allowing them to load undetected by current antivirus engines.
- A proof-of-concept exploit, “PoisonKiller,” successfully demonstrated the ability to terminate the CrowdStrike EDR process.
A significant vulnerability has emerged in the realm of endpoint security, exposing prominent solutions like CrowdStrike Falcon to a novel “Bring Your Own Vulnerable Driver” (BYOVD) attack. This sophisticated method, recently uncovered by a cybersecurity researcher, demonstrates the capacity to completely neutralize even top-tier endpoint defenses.
Table Of Content
The core of this exploit lies in the reverse-engineering of an undisclosed zero-day kernel driver. The researcher’s findings reveal how malicious actors can utilize legally signed drivers to circumvent endpoint detection and response (EDR) systems with alarming efficacy.
BYOVD attacks operate by introducing a trusted, yet flawed, driver onto a compromised system. This driver, despite its underlying vulnerabilities, gains elevated kernel privileges, providing attackers with deep system access.
The investigation identified more than 15 distinct versions of this nefarious driver. Critically, every variant possesses valid Microsoft digital signatures, meaning they have not been flagged or revoked by the vendor. This legitimate signing grants them an unparalleled level of trust within the operating system.
Compounding the concern, scans conducted on platforms like VirusTotal show a complete absence of detections from contemporary antivirus engines. This indicates a significant blind spot in current security paradigms.
Since the driver is digitally signed and considered highly trustworthy, Windows permits its seamless loading into kernel mode without triggering any security alerts. This provides attackers with a stealthy and potent foothold within the system.
Reverse Engineering the IOCTL
During a detailed technical analysis utilizing IDA Pro, the researcher successfully navigated past an obfuscated entry point to meticulously examine the driver’s central device-control handler.
After a rigorous cleanup process to clarify the heavily mangled decompiled code, a critical input/output control (IOCTL) interface was identified. Specifically, the IOCTL code 0x22E010 was found to activate a dedicated routine designed for process termination.
The driver accepts a process ID as a string, converts it to an integer using standard C functions, and then executes the termination command. The profound danger stems from the driver’s ability to terminate security processes directly from the kernel level.
It employs the kernel functions ZwOpenProcess and ZwTerminateProcess to forcibly shut down active applications, bypassing conventional security barriers.
Under normal user-mode conditions, any attempt to close a Protected Process Light (PPL) service, such as CrowdStrike, would result in an immediate access denied error.
However, kernel-level commands completely bypass these user-mode protections, enabling the driver to silently eliminate critical security agents before threat actors deploy ransomware or other secondary payloads.
To validate the vulnerability, the core-jmp researcher dynamically tracked the driver within a controlled test environment to pinpoint its symbolic link, which was identified as .{F8284233–48F4–4680-ADDD-F8284233}.
Leveraging this symbolic link in conjunction with the discovered IOCTL code, they developed a custom proof-of-concept exploit named PoisonKiller.
When loaded using standard command-line service tools, the PoisonKiller exploit successfully targeted and terminated the active CrowdStrike EDR process, demonstrating the practical impact of this vulnerability.
The complete technical analysis and exploit code have been made publicly available on GitHub, underscoring a critical oversight in how modern operating systems manage signed third-party drivers.
What You Should Do
- Review and enhance driver integrity monitoring on all endpoints, focusing on newly loaded drivers and their origins.
- Implement robust application control policies to restrict the execution of unsigned or unauthorized drivers.
- Regularly audit system logs for unusual driver loading activities, especially those bypassing traditional security alerts.
- Consider advanced behavioral analysis tools that can detect anomalous process termination attempts, even from privileged kernel levels.
- Stay informed about updates and advisories from your EDR vendor regarding BYOVD protections and ensure all security solutions are fully patched.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.