T1068: Exploitation for Privilege Escalation

T1068 falls under the Privilege Escalation tactic (TA0004). The technique covers any exploitation of a software vulnerability — in the operating system kernel, device drivers, privileged services, or applications running at elevated permissions — to gain higher levels of access. This ranges from user-to-SYSTEM escalation on Windows, to user-to-root on Linux, to container-to-host escapes, to virtual machine guest-to-hypervisor escapes. The key distinction from other privilege escalation techniques is that T1068 relies on exploiting a vulnerability in code, not on abusing legitimate features, misconfigurations, or access control weaknesses.

The technique spans Windows, Linux, macOS, Containers, and Network Devices. It has no sub-techniques — the MITRE ATT&CK framework treats all exploitation for privilege escalation as a single technique because the vulnerability classes, exploitation methods, and target components vary so widely that sub-categorization would be impractical. Instead, the technique encompasses kernel exploits, driver exploits (including BYOVD), application exploits, container escapes, and hypervisor escapes.

Primary Attack Vectors

Windows Kernel Vulnerabilities (CLFS, Win32k, and Beyond)

The Windows kernel has been the most consistently targeted surface for privilege escalation exploits. Two subsystems have dominated the vulnerability landscape. The Common Log File System (CLFS) driver, which provides high-performance logging capabilities for both user-mode and kernel-mode applications, has been a repeated target due to its complexity and direct kernel interaction. CLFS vulnerabilities typically involve use-after-free (UAF) conditions, race conditions, or improper memory management that allow an attacker to corrupt kernel memory and gain SYSTEM privileges. Since the driver has been present in all supported Windows versions since Windows Vista, a single CLFS exploit affects the entire Windows ecosystem.

The Win32k subsystem, which handles window management and the graphics driver interface, has historically been one of the most exploited Windows kernel components. Groups like BITTER APT have exploited Win32k zero-days (CVE-2021-1732) in targeted espionage campaigns. The Win32k attack surface remains relevant in 2025 despite Microsoft's ongoing efforts to reduce its exposure through architectural changes in newer Windows versions.

Other repeatedly targeted kernel components include the Windows Kernel itself (race conditions like CVE-2025-62215), the Print Spooler service (PrintNightmare family), and the Windows Update Stack (CVE-2025-21204). The 2025 BeyondTrust Microsoft Vulnerabilities Report documented a record 1,360 security vulnerabilities across Microsoft products in 2024, an 11% increase from the previous year.

Bring Your Own Vulnerable Driver (BYOVD)

BYOVD has become the most operationally significant privilege escalation technique in the ransomware ecosystem. The attack works by loading a legitimate, digitally signed kernel driver that contains a known vulnerability onto the target system. Because the driver is properly signed, Windows' driver signature enforcement allows it to load. The adversary then exploits the vulnerability in the loaded driver to gain kernel-level (Ring 0) access, which they use to disable or blind endpoint detection tools that operate at lower privilege levels.

The BYOVD technique requires administrative privileges on the target system (to load the driver via sc create or similar), which the adversary typically already possesses at this stage of the attack. The value of BYOVD is not in escalating from user to admin — it is in escalating from admin to kernel, bypassing the security tools that would otherwise detect ransomware deployment. With kernel access, the adversary can enumerate and remove every EDR callback registered in the kernel, terminate EDR user-mode processes, and tamper with kernel data structures that security products rely on.

The Picus Red Report 2024 documented a 333% increase in EDR killer malware prevalence. Researchers estimate that approximately 25% of ransomware attacks in 2024 incorporated BYOVD methods. The loldrivers.io project currently catalogs over 364 known vulnerable drivers that can be abused for BYOVD attacks. Common targets include the Zemana Anti-Keylogger driver (zamguard64.sys, exploited by Terminator and Killer Ultra), the Avast Anti-Rootkit driver (aswArPot.sys), the Intel Ethernet diagnostics driver (iqvw64.sys, CVE-2015-2291, used by Scattered Spider), the Genshin Impact anti-cheat driver (mhyprot2.sys), and various forensic and hardware monitoring drivers.

Linux Kernel and Container Escapes

On Linux, privilege escalation exploits target the kernel directly or exploit container runtime vulnerabilities to escape from containerized environments to the host. Notable examples include the Dirty Pipe vulnerability (CVE-2022-0847), which allowed overwriting read-only files through the splice system call, and various container escape vulnerabilities in runc, containerd, and the Docker daemon. The TeamTNT group deployed the Hildegard malware specifically targeting Kubernetes environments, combining container escape exploits with cryptojacking payloads.

Hypervisor and VM Escapes

MITRE ATT&CK explicitly notes that T1068 covers adversaries moving "from a virtualized environment, such as within a virtual machine or container, onto the underlying host." In June 2023, Mandiant documented a Chinese espionage actor (UNC3886) using a VMware ESXi zero-day to perform privileged guest operations on compromised hypervisors. Hypervisor escapes represent the highest-value privilege escalation possible in virtualized environments, as they grant access to all virtual machines running on the host.

How Exploitation for Privilege Escalation Works

The exploitation chain. A typical T1068 attack follows a consistent pattern. The adversary first gains initial access (through phishing, vulnerability exploitation, or credential theft) and establishes a foothold as a standard user or limited-privilege process. They then identify a vulnerability in a kernel component, driver, or privileged service that can be triggered from their current privilege level. They deploy the exploit, which typically corrupts kernel memory (use-after-free, heap overflow, race condition) to gain arbitrary read/write access to kernel memory. With kernel memory control, they escalate their process token to SYSTEM or inject code into a SYSTEM-level process. Post-exploitation, they deploy their primary payload (ransomware, credential dumping, persistence mechanisms) from the elevated context.

CLFS exploitation mechanics. The CLFS exploits observed in 2025 share common mechanics. CVE-2025-29824 (the Storm-2460 exploit) triggers a use-after-free through race conditions between CloseHandle() (which deallocates internal structures) and DeviceIoControl() (which uses pointers to the deallocated memory). The exploit uses dual-threaded API calls — one thread closes a file handle while another invokes a control operation on the same handle — to corrupt kernel memory. The exploit creates artifacts in C:\ProgramData\SkyPDF\, including a base log file (PDUDrv.blf) and a malicious DLL (ClsSrv.inf) that gets injected into winlogon.exe. Windows 11 version 24H2 is inherently protected because access to certain System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege.

BYOVD exploitation mechanics. The BYOVD workflow begins with the adversary dropping a vulnerable driver file and a user-mode loader onto the target system. The loader creates a Windows service for the driver (sc create), loading it into the kernel. Once loaded, the loader communicates with the driver through IOCTL (Input/Output Control) requests. Poorly designed drivers may expose IOCTLs that allow arbitrary process termination, arbitrary memory read/write, or arbitrary code execution in kernel mode. The loader iterates over a list of process names corresponding to security tools and issues IOCTL commands to the vulnerable driver to terminate each one. With security tools disabled, the adversary deploys their primary payload.

Why This Technique Matters

It enables ransomware at scale. Modern enterprise environments typically deploy EDR solutions that can detect and block ransomware activity. BYOVD-based EDR killers have become the critical enabling technique that allows ransomware groups to operate despite these defenses. The EDRKillShifter tool (RansomHub), Killer Ultra (Qilin), BurntCigar (Cuba), and Terminator (sold on Russian forums for $300-$3,000) all exist specifically to disable the security tools that would otherwise prevent ransomware deployment. Without T1068, many ransomware campaigns would fail at the payload deployment stage.

Zero-days are increasingly commoditized. The PipeMagic malware has been connected to at least two privilege escalation zero-day exploits in 2025 (CVE-2025-24983 and CVE-2025-29824), suggesting an organized supply chain for Windows kernel exploits. Storm-2460 used PipeMagic to deliver CLFS exploits against targets across multiple continents. The availability of zero-day exploits through specialized malware loaders indicates that advanced exploitation capabilities are becoming accessible to a broader range of threat actors through malware-as-a-service models.

CLFS is a systemic risk. The CLFS driver has been involved in at least six actively exploited zero-days since 2022, including CVE-2023-23376, CVE-2023-28252, CVE-2024-49138, CVE-2025-24983, CVE-2025-29824, and CVE-2025-32701. The driver's complexity and its direct interaction with the kernel create a persistent attack surface that patch-and-pray approaches have failed to eliminate. Each new CLFS vulnerability follows similar exploitation patterns (use-after-free, race conditions), suggesting that the underlying codebase contains systemic issues that incremental patches do not fully address.

EDR is not invincible. BYOVD attacks demonstrate a fundamental architectural limitation: EDR tamper protection mechanisms run at the same privilege level (Ring 0) as the attacker's loaded vulnerable driver. If mitigations like Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) are not enabled, a kernel-level adversary can disable any security tool on the system. Tamper protection that is not hardware-enforced provides only a speed bump, not a barrier.

Real-World Case Studies

Storm-2460 / PipeMagic / CVE-2025-29824 — CLFS Zero-Day to Play Ransomware

In April 2025, Microsoft documented Storm-2460 exploiting CVE-2025-29824, a use-after-free vulnerability in the CLFS driver, against targets in US IT and real estate organizations, Venezuelan financial institutions, a Spanish software company, and Saudi Arabian retailers. The attack chain began with the certutil utility downloading a malicious MSBuild file from a compromised third-party website. The MSBuild file decrypted and executed the PipeMagic backdoor through the EnumCalendarInfoA API callback. PipeMagic then deployed the CLFS exploit, which created a base log file (PDUDrv.blf) in C:\ProgramData\SkyPDF\ as an exploitation artifact. After gaining SYSTEM privileges, the exploit injected a malicious DLL into winlogon.exe, which dumped LSASS credentials and deployed Play ransomware. This was the second Windows zero-day delivered via PipeMagic, following CVE-2025-24983 (Win32k privilege escalation) patched in March 2025.

RansomHub / EDRKillShifter — BYOVD as Standard Operating Procedure

The RansomHub ransomware-as-a-service operation introduced EDRKillShifter, a dedicated BYOVD tool that has become one of the most commonly observed EDR killers in 2024-2025. EDRKillShifter decrypts and executes an embedded payload in memory, which unpacks a vulnerable driver and loads it as a Windows service. The driver is then exploited to disable EDR processes. The malware continuously scans for and terminates security tool processes using a hardcoded target list, maintaining persistence even on reboot. Sophos analysts noted that EDRKillShifter variants are customized for each operation, suggesting they are not leaked binaries but purpose-built tools distributed to affiliates. The adoption of EDRKillShifter by both RansomHub and Qilin affiliates may be linked to Scattered Spider members joining these ransomware operations. ESET reported that EDRKillShifter variants abused drivers including the TfSysMon driver (sysmon.sys from ThreatFire), which was subsequently added to the LOLDrivers project after the research was published.

DeadLock Ransomware / CVE-2024-51324 — BYOVD with Pre-Encryption Preparation

Cisco Talos documented a DeadLock ransomware campaign (active since July 2025) that combined BYOVD with comprehensive pre-encryption system preparation. The threat actor dropped a loader (EDRGay.exe) and a vulnerable driver (DriverGay.sys, exploiting CVE-2024-51324 in a Bitdefender utility driver) into the victim's Videos folder. The loader initialized the driver via CreateFile() against the device name \\.\BdApiUtil, then enumerated running processes to identify EDR targets. The vulnerability allowed unprivileged users to terminate any process at the kernel level through IOCTL code 0x92D, because the driver failed to validate caller permissions. After disabling security tools, the actor executed a PowerShell script that bypassed UAC, disabled Windows Defender, terminated backup and database services, and deleted volume shadow copies. DeadLock ransomware then encrypted files using a custom stream cipher with time-based cryptographic keys.

UNC3886 / VMware ESXi Zero-Day — Hypervisor Escape for Espionage (2023)

Mandiant documented UNC3886, a Chinese espionage actor, exploiting a VMware ESXi zero-day to perform privileged guest operations on compromised hypervisors. The attack allowed the adversary to escalate from a VM guest to the hypervisor host, gaining access to all virtual machines running on the infrastructure. This represents the most dangerous form of T1068 exploitation in virtualized environments — a single hypervisor escape can compromise an entire data center's workload. The incident highlighted that privilege escalation in cloud and virtualized environments extends beyond operating system boundaries.

Embargo Ransomware — Rust-Based Toolkit with BYOVD

ESET documented the Embargo ransomware group (active since 2024) using a Rust-based toolkit that included a dedicated BYOVD component for disabling security products before ransomware deployment. The group's tools demonstrated increasing sophistication in their driver exploitation capabilities, with the BYOVD component designed to be modular and adaptable to different vulnerable drivers. The Rust programming language choice reflects a broader trend among ransomware developers toward memory-safe languages for their tooling.

Silk Typhoon — Supply Chain Exploitation for Privilege Escalation (2025)

In March 2025, Microsoft Threat Intelligence documented Silk Typhoon targeting IT supply chain providers, exploiting vulnerabilities in their products to gain elevated access within downstream customer environments. This represents a supply-chain variant of T1068 where the exploitation occurs not on the target's own systems but through trusted software that runs with elevated privileges within the target environment.

Detection Strategies

Detecting exploitation for privilege escalation is challenging because kernel exploits operate below the visibility of many security tools. Detection strategies focus on identifying exploitation artifacts, anomalous kernel activity, and the pre-/post-exploitation behaviors that surround the exploit itself.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Sysmon EID 6 / Driver Load	Vulnerable driver loading	Alert on loading of drivers whose hashes match the Microsoft Recommended Driver Block List or the LOLDrivers database. Flag drivers loaded from non-standard locations (user Temp, Downloads, ProgramData, Videos folders)
Sysmon EID 1 / Process Create	Service creation for driver loading	Monitor for sc create or sc start commands creating services with type= kernel. Alert on service creation by non-administrative processes or from unusual parent processes
Windows Event 7045	New service installations	Alert on new kernel driver service installations, especially those with drivers located in temporary directories or user-writable paths
EDR Telemetry	EDR process termination	If your EDR stops reporting telemetry from a host unexpectedly, treat it as a critical incident. Correlate EDR agent health monitoring with driver load events. "EDR going silent" may indicate a successful BYOVD attack
File System Events	CLFS exploit artifacts	Monitor for creation of BLF files in unexpected locations, particularly C:\ProgramData\SkyPDF\PDUDrv.blf (CVE-2025-29824 artifact) and other CLFS log files outside of normal logging directories
Process Events	Post-exploitation credential access	After privilege escalation, adversaries typically dump LSASS. Monitor for dllhost.exe with unusual command-line arguments (Storm-2460 used --do), processes spawned as SYSTEM from unexpected parents, and LSASS access from non-security processes
Kernel Integrity	Kernel callback tampering	Advanced EDR solutions can monitor for removal of kernel notification callbacks (PsSetCreateProcessNotifyRoutine, CmRegisterCallback). Unexpected callback removal indicates kernel-level security tool tampering

Splunk Detection Queries

Query 1: Vulnerable Driver Loading from Non-Standard Paths

Detects kernel driver loading from user-writable directories, a key indicator of BYOVD staging.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6
| where match(ImageLoaded, "(?i)(\\\\Users\\\\|\\\\Temp\\\\|\\\\ProgramData\\\\|\\\\Downloads\\\\|\\\\Videos\\\\|\\\\AppData\\\\)")
  AND SignatureStatus IN ("Valid", "Expired")
| table _time host ImageLoaded Hashes SignatureStatus Signed
| sort -_time

Query 2: Kernel Service Creation via sc.exe

Detects service creation commands that load kernel-mode drivers, a required step in BYOVD attacks.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=sc.exe
(CommandLine="*create*" AND CommandLine="*type= kernel*")
  OR (CommandLine="*create*" AND CommandLine="*binPath=*" AND CommandLine="*.sys*")
| table _time host user CommandLine parent_process_name parent_process_path
| sort -_time

Query 3: CLFS Exploit Artifact Detection (CVE-2025-29824)

Detects the specific file artifacts created by the Storm-2460 CLFS exploitation chain.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(TargetFilename="*\\ProgramData\\SkyPDF\\*"
  OR (TargetFilename="*.blf" AND NOT TargetFilename="*\\Windows\\*"))
| table _time host TargetFilename process_name process_path
| sort -_time

Query 4: EDR Process Termination Detection

Detects termination of known security tool processes, which typically follows successful BYOVD exploitation.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=5
(Image="*MsMpEng*" OR Image="*CrowdStrike*" OR Image="*SentinelOne*"
  OR Image="*CylanceSvc*" OR Image="*cb.exe*" OR Image="*CSFalcon*"
  OR Image="*Tanium*" OR Image="*Qualys*" OR Image="*Sophos*")
| stats count min(_time) as first_kill max(_time) as last_kill
  values(Image) as killed_processes by host
| where count >= 2
| sort -count

Known Threat Actors and Tools

Ransomware Groups Using T1068

Group	BYOVD / Exploit Tool	Target Driver / CVE
RansomHub	EDRKillShifter	Multiple drivers including TfSysMon; customized per operation
Qilin	Killer Ultra	Zemana Anti-Keylogger (zamguard64.sys, CVE-2024-1853)
Play	PipeMagic / Storm-2460 exploit	CVE-2025-29824 (CLFS), CVE-2025-24983 (Win32k)
Cuba	BurntCigar	Multiple vulnerable drivers for kernel-level EDR evasion
Kasseika	Custom loader (Martini.exe)	VirIT antivirus driver (viragt64.sys); kills 991 processes
Embargo	Rust-based BYOVD toolkit	Modular driver exploitation framework
DeadLock	EDRGay loader	Bitdefender utility driver (CVE-2024-51324)
Scattered Spider	Custom BYOVD	Intel Ethernet diagnostics driver (iqvw64.sys, CVE-2015-2291)
BlackByte	BYOVD with Zemana	Zemana driver exploitation via PowerTool

Nation-State Actors

Actor	Attribution	T1068 Usage
UNC3886	China	VMware ESXi zero-day for hypervisor escape and privileged guest operations (2023)
BITTER APT	South Asia	Win32k zero-day (CVE-2021-1732) for targeted espionage
APT34 (Earth Simnavaz)	Iran	Windows kernel exploitation for privilege escalation in Middle East campaigns (2024)
Silk Typhoon	China	Supply chain exploitation for privilege escalation through trusted IT providers (March 2025)
Volt Typhoon	China	Exploitation of vulnerabilities in perimeter devices for elevated access in critical infrastructure
APT40	China (MSS)	Exploitation for privilege escalation as documented in CISA multi-agency advisory (July 2024)
Lazarus Group	North Korea	BYOVD for blinding security tools (documented since 2021); kernel exploits for espionage

Key Exploitation Tools and Frameworks

Tool	Purpose
PipeMagic	Modular backdoor used to deliver CLFS and Win32k zero-day exploits; connected to CVE-2025-24983 and CVE-2025-29824
EDRKillShifter	RansomHub's BYOVD EDR killer; decrypts embedded payload, loads vulnerable driver, continuously terminates security processes
Terminator	BYOVD tool sold on Russian forums ($300-$3,000); exploits Zemana drivers; marketed as bypassing nearly all AV/EDR/XDR solutions
Killer Ultra	Qilin ransomware BYOVD tool; exploits Zemana Anti-Keylogger driver (CVE-2024-1853)
BurntCigar	Cuba ransomware's custom EDR killer using BYOVD techniques
LOLDrivers (loldrivers.io)	Community project cataloging 364+ known vulnerable drivers that can be abused for BYOVD; used by both defenders and attackers

Defensive Recommendations

1. Enable HVCI (Hypervisor-Protected Code Integrity)

HVCI uses hardware virtualization to enforce kernel code integrity from a secure, isolated environment that the main OS kernel cannot access or modify. Even if an attacker gains kernel-level access through BYOVD, they cannot tamper with the code integrity enforcement process. HVCI prevents execution of unsigned or improperly signed code at the kernel level and is the single most effective hardware-enforced defense against BYOVD attacks. Enable HVCI through Windows Security > Device Security > Core Isolation > Memory Integrity. Note that HVCI may cause compatibility issues with older drivers that do not comply with code integrity requirements.

2. Deploy Microsoft's Vulnerable Driver Blocklist

Microsoft maintains a recommended driver block list that prevents known vulnerable drivers from loading. This list is automatically enforced when HVCI is enabled. Organizations should verify that the blocklist is active and up to date on all managed systems. For systems where HVCI cannot be enabled, deploy the blocklist via Windows Defender Application Control (WDAC) policies. The blocklist does not cover all vulnerable drivers (LOLDrivers catalogs significantly more than the Microsoft list), so it should be combined with custom WDAC policies that restrict driver loading to approved drivers only.

3. Prioritize CLFS and kernel patch deployment

Given the pattern of repeated CLFS zero-day exploitation (six actively exploited vulnerabilities since 2022), organizations should treat Windows kernel patches, particularly those addressing CLFS, Win32k, and Windows Kernel vulnerabilities, as emergency deployments rather than routine updates. The time from vulnerability disclosure to exploitation can be measured in days, and in the case of zero-days, exploitation precedes the patch. Upgrade to Windows 11 version 24H2 where possible, as this version includes additional restrictions on system calls that mitigate several CLFS exploitation techniques.

4. Monitor driver loading with Sysmon Event ID 6

Deploy Sysmon with configuration rules that log all driver load events (Event ID 6). Create alerts for drivers loaded from non-standard paths (user-writable directories), drivers whose hashes match known vulnerable driver databases, and drivers loaded shortly before EDR process termination events. This provides visibility into the BYOVD staging phase, which is the most reliably detectable step in the attack chain.

5. Implement EDR health monitoring

Deploy out-of-band EDR health monitoring that detects when agents stop reporting telemetry. If a BYOVD attack successfully terminates your EDR, the EDR itself cannot alert you. External monitoring (through the EDR management console, SIEM correlation of heartbeat events, or network-level health checks) provides a backstop that detects the consequence of successful exploitation even when the exploit itself is invisible to endpoint tools.

6. Restrict driver loading via WDAC

Windows Defender Application Control (WDAC) can create policies that allow only approved drivers to be loaded. This is the most comprehensive defense against BYOVD because it prevents the vulnerable driver from loading in the first place, regardless of whether it is signed or appears on a blocklist. WDAC driver policies require significant testing to ensure compatibility with legitimate drivers in your environment, but they provide the strongest defense available against BYOVD.

7. Apply least privilege and limit admin access

BYOVD attacks require administrative privileges to load kernel drivers. Reducing the number of accounts with local administrator access, implementing just-in-time admin access through privileged access management (PAM) solutions, and enforcing credential hygiene all reduce the attack surface for BYOVD. If the adversary cannot gain admin access, they cannot load a vulnerable driver.

8. Hunt for known exploitation artifacts

Proactively search for known exploitation artifacts across your environment: BLF files in C:\ProgramData\SkyPDF\ (CVE-2025-29824), unusual service creation events for kernel drivers, driver files in user-writable directories, and the process names associated with known EDR killers (EDRKillShifter, Terminator, Killer Ultra, BurntCigar). Cross-reference driver hashes against both Microsoft's blocklist and the LOLDrivers database. Integrate these checks into your continuous threat hunting program.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1068
Technique Name	Exploitation for Privilege Escalation
Tactics	Privilege Escalation (TA0004)
Platforms	Windows, Linux, macOS, Containers, Network Devices
Sub-Techniques	None
Data Sources	Application Log (Content), Driver (Load), Process (Creation)
Mitigations	Application Isolation and Sandboxing (M1048), Exploit Protection (M1050), Threat Intelligence Program (M1019), Update Software (M1051)
Version	1.6 (last modified October 2025)
MITRE Reference	attack.mitre.org/techniques/T1068

Sources and References

• MITRE ATT&CK — T1068 Exploitation for Privilege Escalation: attack.mitre.org
• Microsoft — Exploitation of CLFS Zero-Day Leads to Ransomware Activity (April 2025): microsoft.com
• HP Wolf Security — Reviewing Zero-Day Vulnerabilities Exploited in Malware Campaigns in 2025 (March 2026): threatresearch.ext.hp.com
• Cisco Talos — Exploring Vulnerable Windows Drivers (January 2025): blog.talosintelligence.com
• Cisco Talos — New BYOVD Loader Behind DeadLock Ransomware Attack (January 2026): blog.talosintelligence.com
• ESET — EDR Killers Get Popular: Here Is How to Stop Them: eset.com
• Halcyon — Understanding BYOVD Attacks and Mitigation Strategies (May 2025): halcyon.ai
• LOLDrivers — Living Off The Land Drivers Project: loldrivers.io
• Mandiant — VMware ESXi Zero-Day Used by Chinese Espionage Actor (June 2023): cloud.google.com
• Picus Security — Red Report 2024: EDR Killer Prevalence 333% Increase: picussecurity.com