T1068 - gdrv.sys - Removal and Blocklist Validation
Remediation checklist for removing the vulnerable gdrv.sys driver, validating EDR quarantine, and enforcing the Microsoft kernel-mode driver blocklist.
Tasks
-
Confirm EDR quarantine success:
EDR Quarantine Action: SUCCESS
-
Manually check file paths:
dir C:\Windows\System32\drivers\gdrv.sys /a -
Delete residual files (if any):
del "C:\Windows\System32\drivers\gdrv.sys" /f -
Ensure kernel-mode blocklist is enforced:
reg query HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy /v KernelDriverBlockListEnabled