Ransomware operators increasingly switch off endpoint defenses before they encrypt anything. The most common method, Bring Your Own Vulnerable Driver (BYOVD), loads a legitimately signed but flawed driver to reach the Windows kernel and shut down monitoring agents. It is a post-compromise technique with one hard requirement: the attacker must already hold local admin rights on the endpoint. Standing local admin is the privilege that makes it work.
Why ‘Bring Your Own Vulnerable Driver’ Works
The pattern is now standard in attack playbooks. After initial access — through phishing, a compromised account, or an initial access broker — the attacker uses local admin rights to load a signed but flawed driver and reach the Windows kernel. From there, they remove security callbacks and terminate monitoring processes, then deploy ransomware against an endpoint that can no longer defend itself. Security researchers have catalogued dozens of EDR-killer tools that abuse signed but vulnerable drivers in exactly this way. One documented example, AuKill, abused a legitimately signed Microsoft driver to shut down protection before attackers deployed ransomware such as Medusa Locker and LockBit.
Why Windows Trusts a Vulnerable Driver
Windows loads a kernel driver only if it carries a valid digital signature. A vulnerable driver can still be legitimately signed, so the system accepts it without objection — and once it runs in the kernel, it sits beneath the security tools that watch user space. That is what makes a signed but flawed driver such an effective way to disable an EDR from the inside.
Standing Local Admin Is the Common Thread
Many endpoints still run with permanent local admin rights, often for convenience. That standing privilege is exactly what the technique reuses: it gives an attacker a ready, persistent path to load a vulnerable driver. Remove the standing privilege, and the precondition becomes much harder to meet.
How CapaOne Removes Standing Local Admin
CapaOne Privilege Manager removes standing local admin and replaces it with just-in-time, time-bound, scoped elevation. Users receive admin rights for a specific task or application, for a defined window, granted through existing Entra ID groups — and the elevation auto-revokes when the window ends, with full audit logging. Without a permanent local admin right to reuse, an attacker can’t simply load a vulnerable driver on demand, which reduces the attack surface that BYOVD depends on.
See Which Endpoints Still Carry Standing Local Admin
Before you can remove a privilege, you must find it. Security Monitor shows which endpoints still carry standing local admin rights, so IT teams see the exposure before an attacker does, and it surfaces configuration drift when a protection is changed or disabled. CapaOne is not an EDR: removing standing local admin is preventive hardening and access control — it reduces the attack surface and increases resilience against techniques like BYOVD, rather than detecting or responding to an attack in progress. It works as part of a defense-in-depth approach alongside controls such as Microsoft’s Vulnerable Driver Blocklist.
Least-Privilege as Part of One Platform
Privilege Manager and Security Monitor are part of one cloud-native platform with shared dashboards and exportable, audit-ready evidence for NIS2 and governance reviews. CapaOne works standalone, and it runs alongside Intune and your existing EDR — working with them, not replacing them.
What This Means for Security and Compliance
- Remove a standing privilege that BYOVD and many ransomware techniques rely on, shrinking the attack surface.
- Keep users productive with scoped, time-bound elevation that auto-revokes — no permanent local admin.
- Produce audit-ready elevation logs for NIS2 and governance requirements.
- See configuration drift across endpoints, so disabled or changed protections surface quickly.
An EDR is only as strong as your ability to keep it running. Removing standing local admin removes an easy, persistent path attackers use to switch it off — and CapaOne does so without slowing people down. Any ransomware-resilience review should treat standing local admin as a first-class exposure, not an afterthought. Book a demo of CapaOne Endpoint Management Platform to see policy-based elevation and configuration visibility in action — or start a free trial and explore it hands-on.
