T1068 - Vulnerable Driver Write Response Playbook
Incident response playbook for handling BYOVD alerts involving vulnerable kernel drivers like gdrv.sys, covering identification, containment, remediation, and recovery.
Steps
-
Trigger:
- Alert: “Vulnerable Driver Write”
- Detection from EDR platform
-
Identify:
- Check if driver is
gdrv.sysor another known vulnerable kernel module. - Validate SHA256 hash and signature status (revoked/unsigned).
- Check if driver is
-
Containment:
- Verify if driver was quarantined automatically.
- If present, isolate host and block file in EDR console.
- Stop and remove Gigabyte utilities if found.
-
Remediation:
- Delete driver file from system (
C:\Windows\System32\drivers\gdrv.sys). - Apply Microsoft’s kernel blocklist and restart endpoint.
- Confirm EDR and AV definitions are updated.
- Delete driver file from system (
-
Recovery:
- Validate that driver service is not re-registered.
- Reboot system to reload clean kernel state.
-
Client Guidance:
No further action needed if EDR quarantined successfully.
Do not reinstall legacy Gigabyte software using outdated drivers.
Keep OS and EDR driver blocklists current.