← All articles

EDR Killers Need Local Admin. Remove the Opening.

BYOVD attacks turn a signed driver into a way to shut off your EDR. The technique needs one privilege most endpoints still hand out — standing local admin — and that's the part you can remove.

Ransomware operators increasingly switch off endpoint defenses before they encrypt anything. The most common method, Bring Your Own Vulnerable Driver (BYOVD), loads a legitimately signed but flawed driver to reach the Windows kernel and shut down monitoring agents. It is a post-compromise technique with one hard requirement: the attacker must already hold local admin rights on the endpoint. Standing local admin is the privilege that makes it work.

Why ‘Bring Your Own Vulnerable Driver’ Works

The pattern is now standard in attack playbooks. After initial access — through phishing, a compromised account, or an initial access broker — the attacker uses local admin rights to load a signed but flawed driver and reach the Windows kernel. From there, they remove security callbacks and terminate monitoring processes, then deploy ransomware against an endpoint that can no longer defend itself. Security researchers have catalogued dozens of EDR-killer tools that abuse signed but vulnerable drivers in exactly this way. One documented example, AuKill, abused a legitimately signed Microsoft driver to shut down protection before attackers deployed ransomware such as Medusa Locker and LockBit.

Why Windows Trusts a Vulnerable Driver

Windows loads a kernel driver only if it carries a valid digital signature. A vulnerable driver can still be legitimately signed, so the system accepts it without objection — and once it runs in the kernel, it sits beneath the security tools that watch user space. That is what makes a signed but flawed driver such an effective way to disable an EDR from the inside.

Standing Local Admin Is the Common Thread

Many endpoints still run with permanent local admin rights, often for convenience. That standing privilege is exactly what the technique reuses: it gives an attacker a ready, persistent path to load a vulnerable driver. Remove the standing privilege, and the precondition becomes much harder to meet.

How CapaOne Removes Standing Local Admin

CapaOne Privilege Manager removes standing local admin and replaces it with just-in-time, time-bound, scoped elevation. Users receive admin rights for a specific task or application, for a defined window, granted through existing Entra ID groups — and the elevation auto-revokes when the window ends, with full audit logging. Without a permanent local admin right to reuse, an attacker can’t simply load a vulnerable driver on demand, which reduces the attack surface that BYOVD depends on.

See Which Endpoints Still Carry Standing Local Admin

Before you can remove a privilege, you must find it. Security Monitor shows which endpoints still carry standing local admin rights, so IT teams see the exposure before an attacker does, and it surfaces configuration drift when a protection is changed or disabled. CapaOne is not an EDR: removing standing local admin is preventive hardening and access control — it reduces the attack surface and increases resilience against techniques like BYOVD, rather than detecting or responding to an attack in progress. It works as part of a defense-in-depth approach alongside controls such as Microsoft’s Vulnerable Driver Blocklist.

Least-Privilege as Part of One Platform

Privilege Manager and Security Monitor are part of one cloud-native platform with shared dashboards and exportable, audit-ready evidence for NIS2 and governance reviews. CapaOne works standalone, and it runs alongside Intune and your existing EDR — working with them, not replacing them.

What This Means for Security and Compliance

  • Remove a standing privilege that BYOVD and many ransomware techniques rely on, shrinking the attack surface.
  • Keep users productive with scoped, time-bound elevation that auto-revokes — no permanent local admin.
  • Produce audit-ready elevation logs for NIS2 and governance requirements.
  • See configuration drift across endpoints, so disabled or changed protections surface quickly.

An EDR is only as strong as your ability to keep it running. Removing standing local admin removes an easy, persistent path attackers use to switch it off — and CapaOne does so without slowing people down. Any ransomware-resilience review should treat standing local admin as a first-class exposure, not an afterthought. Book a demo of CapaOne Endpoint Management Platform to see policy-based elevation and configuration visibility in action — or start a free trial and explore it hands-on.

Frequently Asked Questions

What Is a BYOVD Attack?

Bring Your Own Vulnerable Driver is a post-compromise technique in which an attacker loads a legitimately signed but vulnerable driver to gain kernel-level access and disable security tools. It requires local admin rights to work.

Does Removing Local Admin Stop Ransomware?

Removing standing local admin removes a privilege that BYOVD and many ransomware techniques rely on, significantly raising the bar. It works best as part of a defense-in-depth approach.

How Does Just-in-Time Elevation Keep Users Productive?

Users receive scoped, time-bound admin rights for a specific task through existing Entra ID groups, and those rights auto-revoke on expiry, so work continues without a standing local admin.

Is CapaOne an EDR?

No. Removing standing local admin is preventive hardening and access control, not a detection or response function. CapaOne reduces the attack surface and works alongside your EDR rather than replacing it.

How Can Organizations Defend Against BYOVD Attacks?

Remove standing local admin rights, so attackers can't load a vulnerable driver on demand; keep the OS and drivers patched; enable Microsoft's Vulnerable Driver Blocklist; and monitor endpoints for configuration drift. BYOVD defense works best in layers.

Rikke Borup

Written by

Rikke Borup

CMO, CapaSystems

Rikke is Chief Marketing Officer at CapaSystems, where she has led marketing and communications since 2009. With more than 17 years of experience in the IT sector — including cybersecurity, endpoint management software and IT services — she brings long-standing, practical insight into the challenges facing modern enterprise IT environments.

Trained as a journalist, Rikke specializes in translating complex technical concepts into clear, easy-to-understand communications for IT decision-makers.

Book a Demo →Start Free Trial