BYOVKD is the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.High-IL code execution in Ring 3 or in simpler words, it needs administrative privileges since it involves loading a driver and such. Also, note that Microsoft does not consider Ring 3(High-IL) -> Ring 0 a serviceable security boundary but even then there are some quirks when we look at productizing our exploits.drop'n'load onto a target system to help us step into the Ring-0 realm.Kernel-Mode keyloggers or what have you?Driver Signature Enforcement(DSE), we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the Tertia Optio(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in Kernel-Mode.BYOVKD. Some of them are:BYOVKD represents Third Generation Kernel Threats where we introduce a vulnerable third-party driver into the environment to exploit it as compared to Second Generation Kernel Threats where the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.BYOVKD:EoP scenarios using BYOVKDfor that is more relevant for LOCAL 2nd Gen kernel threats. The reason being that we are already in High-IL and there are better ways of elevating privileges to local SYSTEM account from User-Mode. BYOVKD is not commonly seen in intrusions, over the years there have been some highly publicised cases of this technique being leveraged by nation-states for CNE operations. Some of them are:TrickBot using this technique to bypass defences etc. Also, note the considerable overlap in the choice of proxy drivers.