EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)

Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths. This technique has been actively observed in Medusa ransomware campaigns, where the group drops a signed but vulnerable kernel driver (commonly repurposed anti-cheat or AV drivers) to gain kernel-level access and forcibly terminate endpoint protection before deploying the ransomware payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage. The query is not Medusa-specific — it will detect any BYOVD campaign following the same pattern, including BlackByte, Scattered Spider, Cuba, and AvosLocker, all of which have used similar techniques.

MITRE ATT&CK

T1562.001T1068T1014
defense-evasionprivilege-escalation

Detection Query

/* Phase 1 — Detect BYOVD: known-vulnerable or out-of-place signed drivers */
#event_simpleName = DriverLoad OR #event_simpleName = ClassifiedModuleLoad
| case {
    in(field=FileName, values=[
      "gdrv.sys", "msio64.sys", "ntiolib.sys", "kprocesshacker.sys",
      "physmem.sys", "dbk64.sys", "procexp152.sys", "NSSM.sys",
      "wantd.sys", "AsrDrv104.sys", "mhyprot2.sys"
    ]) | BYOVDIndicator := "Known vulnerable driver loaded";
    FilePath = /AppData|Temp|ProgramData|Users\\.*\\Desktop/i
      FileName = /\.sys$/i
      | BYOVDIndicator := "Driver loaded from suspicious user-writable path";
    * | BYOVDIndicator := "none";
  }
| BYOVDIndicator != "none"
| join(
    {
      #event_simpleName = TerminateProcess
      | ImageFileName = /(MsMpEng|CsAgent|CsFalconService|csshell|SentinelAgent|cbdefense|MBAMService|avp\.exe|fmon|avgnt|bdservicehost|mcshield|ekrn)\.exe$/i
      | rename(field=ImageFileName, as=TerminatedSecurity)
    },
    field=aid, key=aid
  )
| TerminatedSecurity = *

Author

cap10

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1562.001
  - T1068
  - T1014

# Description of what the query does and its purpose.
description: |
  Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths.

# The author or team that created the query.
author: cap10

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  /* Phase 1 — Detect BYOVD: known-vulnerable or out-of-place signed drivers */
  #event_simpleName = DriverLoad OR #event_simpleName = ClassifiedModuleLoad
  | case {
      in(field=FileName, values=[
        "gdrv.sys", "msio64.sys", "ntiolib.sys", "kprocesshacker.sys",
        "physmem.sys", "dbk64.sys", "procexp152.sys", "NSSM.sys",
        "wantd.sys", "AsrDrv104.sys", "mhyprot2.sys"
      ]) | BYOVDIndicator := "Known vulnerable driver loaded";
      FilePath = /AppData|Temp|ProgramData|Users\\.*\\Desktop/i
        FileName = /\.sys$/i
        | BYOVDIndicator := "Driver loaded from suspicious user-writable path";
      * | BYOVDIndicator := "none";
    }
  | BYOVDIndicator != "none"
  | join(
      {
        #event_simpleName = TerminateProcess
        | ImageFileName = /(MsMpEng|CsAgent|CsFalconService|csshell|SentinelAgent|cbdefense|MBAMService|avp\.exe|fmon|avgnt|bdservicehost|mcshield|ekrn)\.exe$/i
        | rename(field=ImageFileName, as=TerminatedSecurity)
      },
      field=aid, key=aid
    )
  | TerminatedSecurity = *

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  This technique has been actively observed in Medusa ransomware campaigns,
  where the group drops a signed but vulnerable kernel driver (commonly
  repurposed anti-cheat or AV drivers) to gain kernel-level access and
  forcibly terminate endpoint protection before deploying the ransomware
  payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage.
  
  The query is not Medusa-specific — it will detect any BYOVD campaign
  following the same pattern, including BlackByte, Scattered Spider, Cuba,
  and AvosLocker, all of which have used similar techniques.