BYOVKDis the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.
drop'n'loadonto a target system to help us step into the
Kernel-Modekeyloggers or what have you?
Driver Signature Enforcement(DSE), we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the
Tertia Optio(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in
BYOVKD. Some of them are:
Third Generation Kernel Threatswhere we introduce a vulnerable third-party driver into the environment to exploit it as compared to
Second Generation Kernel Threatswhere the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.
BYOVKDis not commonly seen in intrusions, over the years there have been some highly publicised cases of this technique being leveraged by nation-states for
CNEoperations. Some of them are: