BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths.
EDRhuntingT1562.001T1068T1014
FDR intermediatepor cap10 (cql-hub.com) 1 min read
Query
/* Phase 1 — Detect BYOVD: known-vulnerable or out-of-place signed drivers */
#event_simpleName = DriverLoad OR #event_simpleName = ClassifiedModuleLoad
| case {
in(field=FileName, values=[
"gdrv.sys", "msio64.sys", "ntiolib.sys", "kprocesshacker.sys",
"physmem.sys", "dbk64.sys", "procexp152.sys", "NSSM.sys",
"wantd.sys", "AsrDrv104.sys", "mhyprot2.sys"
]) | BYOVDIndicator := "Known vulnerable driver loaded";
FilePath = /AppData|Temp|ProgramData|Users\\.*\\Desktop/i
FileName = /\.sys$/i
| BYOVDIndicator := "Driver loaded from suspicious user-writable path";
* | BYOVDIndicator := "none";
}
| BYOVDIndicator != "none"
| join(
{
#event_simpleName = TerminateProcess
| ImageFileName = /(MsMpEng|CsAgent|CsFalconService|csshell|SentinelAgent|cbdefense|MBAMService|avp\.exe|fmon|avgnt|bdservicehost|mcshield|ekrn)\.exe$/i
| rename(field=ImageFileName, as=TerminatedSecurity)
},
field=aid, key=aid
)
| TerminatedSecurity = *Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.