Atos TRC: "hardware-gated" Windows drivers can be made BYOVD-exploitable in software

Research from the Atos Trusted Research Center (referenced by NDSS Symposium 2026 paper 2026-s1491), resurfaced in in-window reporting on 2026-05-22, argues that a large class of Windows kernel-mode drivers previously treated as BYOVD-resistant — because triggering their vulnerable IOCTL paths supposedly required physical hardware — can be made fully exploitable without that hardware (The Hacker News, 2026-05-22). Three techniques remove the gate: binding a PnP driver's AddDevice callback to a software-emulated device with an attacker-chosen hardware ID (via SetupAPI / the Software Device API); filter-driver restacking on disk/storage device stacks to bind otherwise-unloadable drivers; and direct registry manipulation under HKLM\SYSTEM\CurrentControlSet\Control\Class to associate a vulnerable driver with an existing device object. The write-up frames these against real-world example drivers to show IOCTL code paths reachable without the assumed hardware (Atos TRC, 2026-04-17).

Why it matters to us: BYOVD is a staple kernel-level EDR-bypass technique for ransomware affiliates and APTs operating against EU/CH targets, and this work expands the effective LOLDrivers attack surface — vulnerable-driver blocklists that implicitly assume a hardware prerequisite need re-evaluation. Hunt HKLM\SYSTEM\CurrentControlSet\Control\Class writes to UpperFilters/LowerFilters/ClassFilters from non-SYSTEM processes (Sysmon EID 13), driver-load events (Sysmon EID 6) for drivers loaded from user-writable paths, and streaming/thunk-class kernel drivers loaded by a non-system process. Hardening: enforce the Microsoft Vulnerable Driver Blocklist (WDAC) and HVCI/Memory Integrity, and re-test blocklist coverage against these hardware-gate-bypass techniques. ATT&CK T1068, T1014, T1562.001.