{"id":22002,"date":"2026-07-11T07:59:27","date_gmt":"2026-07-11T07:59:27","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=22002"},"modified":"2026-07-11T10:20:49","modified_gmt":"2026-07-11T10:20:49","slug":"a-signed-driver-makes-endpoint-protection-blind","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/a-signed-driver-makes-endpoint-protection-blind\/","title":{"rendered":"A Signed Driver Makes Endpoint Protection Blind"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">5 min read<\/p>\n<p><strong>A driver with a valid Microsoft signature disables protection processes on the endpoint. The security tool continues running but stops reporting anything. This exact pattern was observed by Symantec\u2019s threat-hunter team in the group behind the GodDamn ransomware. The case highlights less a new malware strain than the limits of Windows driver trust.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">A signature is no shield.<\/strong> A validly signed kernel driver named PoisonX terminates endpoint defense processes and removes their hooks. The console stays silent.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Admin rights are enough.<\/strong> Windows automatically loads the signed driver into the kernel. No additional exploit or CVE required.<\/li>\n<li><strong style=\"color:#69d8ed;\">Detection beats trust.<\/strong> Driver-load telemetry, the vulnerable-driver blocklist, and strict least-privilege policies step in where signature checks fail.<\/li>\n<\/ul>\n<\/div>\n<p style=\"border-top:1px solid rgba(230,227,218,0.14);border-bottom:1px solid rgba(230,227,218,0.14);padding:14px 0;margin:28px 0;font-size:0.92em;color:#b8c5ce;\"><strong style=\"color:#69d8ed;\">Related:<\/strong> <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/10\/edr-vs-xdr-definition-key-differences\/\">What really sets EDR and XDR apart<\/a> &nbsp;\u00b7&nbsp; <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/\">How a ransomware attack unfolds<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What lies behind the signed driver<\/h2>\n<p><strong>What is a BYOVD attack?<\/strong> Bring Your Own Vulnerable Driver (BYOVD) describes a technique where an attacker with administrator rights installs a validly signed but flawed or malicious driver on the system. Windows verifies the signature, finds it valid, and loads the driver into the kernel-no additional exploit needed.<\/p>\n<p>In the GodDamn case, the driver is named PoisonX and carries a genuine signature from the Microsoft Windows Hardware Compatibility Publisher. Symantec highlights a key difference: classic BYOVD abuses a legitimate but vulnerable driver, whereas PoisonX is a malicious driver from the start, engineered to pass signature checks. Once loaded, it terminates the processes of installed endpoint defenses and removes the user-mode hooks that antivirus and EDR tools use to monitor the system. The agent remains technically active, but its visibility is gone.<\/p>\n<p>GodDamn itself isn\u2019t new. Broadcom attributes the family to an actor called Hyadina and sees it as the successor to Beast, which evolved from the older Monster lineage. PoisonX, however, isn\u2019t exclusive to this group-it\u2019s already documented in other toolkits, making it a widely used component, not an isolated case.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">The long prelude before encryption<\/h2>\n<p>Encryption is the final act, not the opening move. In the campaign described by Symantec, attackers gained access via the remote administration tool AnyDesk, placing it in an inconspicuous location within the user profile. Next came a bundle of freely available NirSoft tools to harvest credentials.<\/p>\n<p>Only then did the attackers move laterally through the network, disabling Defender using its own administrative commands and setting up persistence services. By the time ransomware was deployed, around ten systems had been compromised. This prelude can last hours or even days-it\u2019s the real detection window.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why Signature Trust Reaches Its Limits<\/h2>\n<p>The common assumption is: what\u2019s signed is trustworthy. The PoisonX case disproves this. A valid signature confirms a code\u2019s origin-but says nothing about its intent. Once an attacker gains administrator privileges, the signature becomes a free pass into the kernel.<\/p>\n<p>Microsoft counters this with a blocklist of known problematic drivers and hypervisor-protected code integrity. Both measures help, but they act reactively. There\u2019s a window between discovering a misused driver and adding it to the blocklist. Not every system has core isolation enabled. Compatibility with legacy software further delays adoption.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Detection Engineering Actually Delivers<\/h2>\n<p>The leverage lies in behavior, not signatures. Loading a kernel driver is a rare, highly observable event. Sysmon logs it with hash, signature status, and path. A driver loaded from a user directory instead of the system folder is a strong red flag.<\/p>\n<p>Equally telling: the creation of a kernel service from an unusual source, or the sudden termination of security processes. Correlate these three events, and you\u2019ll spot the attack before encryption even begins.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Check Immediately<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Enable core isolation and memory integrity (HVCI) on endpoints where hardware and drivers permit.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Enforce Microsoft\u2019s Vulnerable Driver Blocklist and supplement it with custom WDAC rules against known malicious drivers from LOLDrivers.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Set up alerts for driver-load events (Sysmon Event 6) targeting unusual paths, and monitor kernel service installations (System Log 7045).<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Activate EDR tamper protection to prevent attackers from disabling the agent.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Remove local admin rights for daily use; enforce LAPS and a tiered access model.<\/li>\n<\/ul>\n<\/div>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Least Privilege as the Foundation<\/h2>\n<p>All the controls mentioned share one prerequisite: without administrator rights, no attacker loads a driver into the kernel. That\u2019s why least privilege sits at the start of any effective defense-not the end.<\/p>\n<p>In practice, this means: no permanent local admin rights, just-in-time access for privileged tasks, LAPS for local accounts, and a tiered model that keeps domain admins off endpoints. Blocklists, HVCI, and telemetry only work if widespread admin rights don\u2019t already do half the attackers\u2019 work for them.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is locked. Tap to unlock the answer.<\/p>\n<details>\n<summary><strong>What is a BYOVD attack?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Bring Your Own Vulnerable Driver refers to an attacker injecting a validly signed but flawed or malicious driver using administrator privileges. Windows trusts the signature and loads the driver into the kernel, where it operates with the highest system rights.<\/p>\n<\/details>\n<details>\n<summary><strong>Is an up-to-date EDR solution enough to counter this technique?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Not on its own. The signed driver targets defenses directly, effectively blinding them. Detection only becomes effective when combined with tamper protection, driver telemetry, and restricted administrator rights.<\/p>\n<\/details>\n<details>\n<summary><strong>Does Microsoft\u2019s Vulnerable Driver Blocklist provide reliable protection?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">It helps, but it\u2019s reactive. There\u2019s a window between the discovery of a driver and its inclusion on the list. Custom WDAC rules targeting known abusive drivers can help close this gap.<\/p>\n<\/details>\n<details>\n<summary><strong>How can you spot this attack in logs?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Three key events stand out: loading a kernel driver from a user directory, creating a kernel service from an unusual source, and the sudden termination of security processes. When correlated, these paint a clear picture.<\/p>\n<\/details>\n<details>\n<summary><strong>What\u2019s the most critical first step?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Reducing widespread administrator rights. Without these privileges, no driver can be loaded into the kernel. All other security measures build on this foundation.<\/p>\n<\/details>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/10\/edr-vs-xdr-definition-key-differences\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-edr-xdr-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Really Sets EDR and XDR Apart<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ransomware-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">How a Ransomware Attack Unfolds<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/02\/when-attackers-are-faster-than-the-patch\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/sov-report-2026-schwachstellen-tempo-cover-hero-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When Attackers Outpace the Patch<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/2026\/07\/08\/ki-modell-denken-anthropic-j-space\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-modell-denken-anthropic-j-space-86585047.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">For the first time, you can watch an AI think<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/ki-mittelstand-pilot-skalierung-roi-roadmap\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/mybusinessfuture.com\/wp-content\/uploads\/2026\/07\/ki-mittelstand-pilot-skalierung-roi-roadmap-cover-hero-760x434.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">From pilot to scale: AI in SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/konglomerat-holding-aumovio-tkms-siemens-it-carve-out-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-konglomerat-holding-aumovio-tkms-siemens-42852037-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">IT determines whether the spin-off pays off<\/span><\/span><\/a><\/p>\n<p style=\"text-align:right;color:#868e96;font-size:0.85em;margin-top:48px;\"><em>Image source: AI-generated (July 2026)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Cybersecurity: A Microsoft-signed kernel driver disables EDR protection. Why signature trust fails and which detection is now effective.","protected":false},"author":10,"featured_media":21989,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Supply chain attack","_yoast_wpseo_title":"A Signed Driver Makes Endpoint Protection Blind","_yoast_wpseo_metadesc":"The original German text is: \"Cybersecurity: Ein Microsoft-signierter Kernel-Treiber schaltet den EDR-Schutz ab.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[254],"tags":[74],"class_list":["post-22002","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-praxis-umsetzung","tag-ransomware"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":21988,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22002"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22002\/revisions"}],"predecessor-version":[{"id":22003,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22002\/revisions\/22003"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/21989"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}