CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks in Real-World Intrusion

CrowdStrike describes a marked increase in BYOVD (bring your own vulnerable driver) attacks used to bypass endpoint detection by loading legitimate but vulnerable kernel drivers. The report details a September 2024 intrusion where attackers brought six vulnerable drivers (all detected or blocked by Falcon), explains BYOVD mechanics and attacker objectives (kernel memory access, disabling Driver Signature Enforcement, mapping unsigned drivers, hiding artifacts), and classifies abused drivers to support detection and mitigation.