ctipilot.ch

Atos TRC

trend · trend:atos-byovd-hardware-gate-bypass-2026

Atos TRC: hardware-gated Windows drivers made BYOVD-exploitable in software (PnP AddDevice / filter restacking / registry)

Coverage timeline
1
first 2026-05-24 → last 2026-05-24
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-24Atos TRC: "hardware-gated" Windows drivers can be made BYOVD-exploitable in software
    researchAtos TRC: "hardware-gated" Windows drivers can be made BYOVD-exploitable in software

Where this entity is cited

  • research1

Source distribution

  • atos.net1 (50%)
  • thehackernews.com1 (50%)

Entries about Atos TRC (1)

2026-05-24 · view entry permalink →

Atos TRC: "hardware-gated" Windows drivers can be made BYOVD-exploitable in software

notable research discovered 2026-05-24 05:00 UTC

Research from the Atos Trusted Research Center (referenced by NDSS Symposium 2026 paper 2026-s1491), resurfaced in in-window reporting on 2026-05-22, argues that a large class of Windows kernel-mode drivers previously treated as BYOVD-resistant — because triggering their vulnerable IOCTL paths supposedly required physical hardware — can be made fully exploitable without that hardware (The Hacker News, 2026-05-22). Three techniques remove the gate: binding a PnP driver's AddDevice callback to a software-emulated device with an attacker-chosen hardware ID (via SetupAPI / the Software Device API); filter-driver restacking on disk/storage device stacks to bind otherwise-unloadable drivers; and direct registry manipulation under HKLM\SYSTEM\CurrentControlSet\Control\Class to associate a vulnerable driver with an existing device object. The write-up frames these against real-world example drivers to show IOCTL code paths reachable without the assumed hardware (Atos TRC, 2026-04-17).

Why it matters to us: BYOVD is a staple kernel-level EDR-bypass technique for ransomware affiliates and APTs operating against EU/CH targets, and this work expands the effective LOLDrivers attack surface — vulnerable-driver blocklists that implicitly assume a hardware prerequisite need re-evaluation. Hunt HKLM\SYSTEM\CurrentControlSet\Control\Class writes to UpperFilters/LowerFilters/ClassFilters from non-SYSTEM processes (Sysmon EID 13), driver-load events (Sysmon EID 6) for drivers loaded from user-writable paths, and streaming/thunk-class kernel drivers loaded by a non-system process. Hardening: enforce the Microsoft Vulnerable Driver Blocklist (WDAC) and HVCI/Memory Integrity, and re-test blocklist coverage against these hardware-gate-bypass techniques. ATT&CK T1068, T1014, T1562.001.

priv-esc global