Attackers bharosemand Windows driver ka galat istemaal karke antivirus (AV) aur andpoint detection aur respons (EDR) tools ko band kar rahe han. iske liye ve Bring Your Own Vulnerable Driver (BYOVD) naam ki ek technic ka istemaal kar rahe han.
kabhi khas mana jaane wala BYOVD, tezi se modern ransomware campaigns ka ek standard hissa ban gaya hai, jisse threat actors Windows environment mein sabse oonche privilege level par kaam kar sakte han.
security researcher batate hain ki cyber ghuspaith mein defence se bachna ab ek zaruri fez hai. detection se bachne ke bajay, attacker sidhe security control ko target kar rahe hain aur unhen band kar rahe han.
Windows Drivers Kill AV and EDR
Windows do privilege level ka istemaal karke kaam karta hai: user mode aur kernel mode. jahan user mode applications ko rokta hai, wahin kernel mode system par lagbhag pura control deta hai. ek kamzor driver ka fayda uthakar, attacker kernel mode mein galat kaam kar sakte han.
udaharan ke liye, administraitive access paane ke bad, ek attackar ek sign kiya hua lekin kharab driver install kar sakta hai aur uski kamzoriyon ka fayda uthane ke liye use banae gaye command bhej sakta hai. sabse aam natija AV ya EDR process ka khatm hona hai.
TrueSightKiller, GhostDriver, aur AuKill jaise Open-source aur underground tool, security process ko khatm karne ke liye in drivers ka galat istemaal karne ke process ko automate karte han.

