Red Team Road Rage: Weaponizing Vulnerable Drivers to Blind EDR
Jake Mayhew
NorthSec 2025 · Day 1 · Ville-Marie
Jake Mayhew, Director of Offensive Operations at White Knight Labs, walked through the architecture of Windows kernel-mode EDR components and demonstrated how a red teamer can exploit vulnerable third-party drivers to remove kernel notification callbacks, strip EDR telemetry, and defeat Process Protection Light (PPL) — culminating in a live CrowdStrike Falcon bypass demo. The talk is a practitioner-level reference for both red teams looking to evaluate EDR defenses and blue teams building detection logic against Bring Your Own Vulnerable Driver (BYOVD) attacks. ---
AI review
Jake Mayhew (White Knight Labs) delivers a thorough, structured walk-through of Windows kernel EDR architecture and the BYOVD technique for defeating it: ring 0 vs. ring 3 separation, kernel callback arrays (process creation, thread creation, image load), PPL and EPROCESS structure, and the full BYOVD chain from loading a vulnerable driver to zeroing CrowdStrike Falcon's callback registrations. Concludes with a live Falcon bypass demo. Defensive section covers HVCI, LOLDrivers monitoring, ETW-Ti, and WDAC driver policy.