A New Era in Cybersecurity: How the BYOVD and Windows Symbolic Links Exploit Change the Game

2025-01-28

In a recent breakthrough, cybersecurity experts have discovered a way to elevate the power of the Bring Your Own Vulnerable Driver (BYOVD) technique, combining it with Windows symbolic links to bypass critical security measures, including Endpoint Detection and Response (EDR) systems. This research, presented by the cybersecurity specialist @Two Seven One Three, sheds light on a novel exploit that has the potential to redefine how attackers bypass defenses and target vulnerable systems.

the Exploit

The BYOVD (Bring Your Own Vulnerable Driver) technique has been a powerful tool for cybercriminals, allowing them to exploit vulnerable, legitimate drivers to gain elevated privileges and bypass security measures. In the past, threat actors have taken advantage of drivers like MSI Afterburner’s RTCore64.sys to infiltrate over 1,000 security systems, including those that monitor file operations. However, with Microsoft’s updates to blocklist known vulnerable drivers, the pool of exploitable drivers has been shrinking.

This latest research has combined BYOVD with Windows symbolic links—system tools that redirect file operations—allowing attackers to bypass these blocklists and target a much broader range of vulnerable drivers. By manipulating file-writing functions within these drivers and using symbolic links to redirect activities to unintended locations, attackers can disable critical system functions and bypass EDR detection systems.

A striking demonstration of this technique showed how symbolic links could be used to disable Windows Defender on Windows 11, allowing attackers to manipulate the core executable, MsMpEng.exe. The exploit takes advantage of vulnerabilities in how EDR systems monitor file and process activities, allowing attackers to sidestep the defenses by redirecting file operations to unwitting targets.

This new method enables attackers to use legitimate file-writing drivers, expanding the potential pool of exploitable targets, and complicating detection efforts. It’s a worrying evolution in cyberattacks, as it shifts the focus from outdated drivers to regular system functions that have the ability to manipulate files.

What Undercode Say:

The combination of BYOVD with symbolic links represents a significant leap in the complexity and effectiveness of cyberattacks, one that bypasses traditional methods of detection. For years, security systems have relied on blocking known vulnerable drivers to prevent attacks. Microsoft’s blocklist updates were one way to keep this threat at bay, but the new technique undermines this defense by expanding the attack surface.

Historically, the BYOVD technique was limited to a small pool of drivers with known vulnerabilities. As Microsoft updated its blocklist, the number of viable targets shrank, forcing attackers to constantly adapt. However, this research demonstrates that attackers can now target legitimate drivers that possess file-writing capabilities, which are far more numerous and less likely to be flagged by security software. By combining this with symbolic links, attackers can essentially redirect file operations to any location they choose, opening up new avenues for exploitation.

Symbolic links are typically used to create shortcuts to files and directories, but in the hands of an attacker, they become powerful tools for evading detection. The exploitation of symbolic links, combined with driver vulnerabilities, could cause extensive damage. For example, in the case of Windows Defender, attackers can manipulate the registry and force the operating system to load their malicious drivers before security services, such as Defender, can initiate. This allows them to disable security software, rendering the system vulnerable to further exploitation.

Another troubling aspect of this exploit is its ability to bypass both kernel-level monitoring and user-mode logging. EDR systems typically use Minifilters to monitor activity at the kernel level. These filters track file operations and log suspicious activity to detect potential threats. However, by exploiting the symbolic link mechanism, attackers can redirect file operations away from their intended destinations, making it much harder for these monitoring systems to detect malicious activity.

Given the sophistication of this exploit, organizations must rethink their approach to cybersecurity. It is no longer sufficient to rely solely on blocklists or traditional signature-based detection. The threat has evolved, and so must the defense strategies. Cybersecurity teams should prioritize enhanced detection methods that can identify symbolic link-based exploits, even when they do not rely on outdated or vulnerable drivers.

One possible countermeasure is to implement integrity checks for symbolic links within drivers. This would involve verifying that symbolic links point to valid, intended targets before allowing file operations. Developers can also design more secure drivers that minimize the potential for exploitation through file-writing functions.

Furthermore, organizations should focus on comprehensive monitoring and validation at both the kernel and user-mode levels. This may include more sophisticated anomaly detection systems that can detect unusual patterns in how files are accessed and modified. By monitoring not just the files themselves, but the interactions and relationships between processes, defenders can identify when something is out of the ordinary.

The research also highlights the importance of continuous updates and patches. While Microsoft has made strides in blocking known malicious drivers, this new method shows that even legitimate functions can be weaponized. A more proactive, holistic approach to security is necessary to keep up with the constantly evolving threat landscape.

In conclusion, this novel technique represents a new wave of complexity in cybersecurity, where traditional methods of defense may no longer suffice. The combination of BYOVD and symbolic link manipulation requires cybersecurity professionals to reassess their strategies and adopt more sophisticated approaches to defending against these evolving threats. By addressing the underlying vulnerabilities in file operations and symbolic links, organizations can better prepare for the challenges posed by this new attack method.