Embed Notice

Even recently, there are folks talking about how the Microsoft recommended driver block rules list protects against BYOVD attacks.

This is a lie. Or at best misinformation, which seems to unfortunately gets repeated by those who don't really understand how things work.

Yes, you can prevent an attacker from bringing their own driver ("vulnerable" or not) by using a signed (e.g. enforced by SecureBoot) WDAC policy. I hope you don't mind extra work, as this isn't easy/free.

If you want to dig deeper into the thought experiment about what constitutes a "vulnerable" driver vs. one that isn't vulnerable, feel free to read up on BYOVD Protection is a Lie (Part 2)

TL;DR: Anybody suggesting that the Microsoft recommended driver block rules protects against BYOVD is wrong. An attacker bringing their own driver is already an admin, and on default Windows configurations, an admin can do what they want on a system. They don't need vulnerabilities. Heck, an admin attacker can install arbitrary homemade drivers that have never even had a valid signature if they wanted to.

The Microsoft recommended driver block rules is fine for preventing vulnerable drivers that might be already present on your system from being exploited. But don't fool yourself into thinking that it will help protect against attackers bringing your own driver.

Once Microsoft fixes the blocking capabilities of the Microsoft recommended driver block rules on non-HVCI systems, then the ability for attackers to target already-present drivers will be further hampered. But the flaws that I've outlined in this thread won't affect attackers bringing their own drivers. They already own your system.