AuKill is a defense-evasion tool that exploits an outdated Microsoft Process Explorer driver to disable EDR protections and then deploys ransomware, with multiple variants observed since 2023. The technique, a BYOVD (bring-your-own vulnerable driver) approach, builds on earlier tools like Backstab and has connected to multiple ransomware operations such as Medusa Locker and LockBit. #AuKill #Backstab #MedusaLocker #LockBit
Keypoints
- AuKill uses an out-of-date Process Explorer driver (PROCEXP.SYS) to disable EDR processes before delivering ransomware.
- There are six observed AuKill variants (V1–V6), with V6 labeled as a debug/experimental version.
- The tool exemplifies a BYOVD attack by abusing a legitimate driver signed by Microsoft.
- AuKill’s lineage traces back to Backstab, sharing similar debug strings and code flow for driver interaction.
- Phase 1 installs a service and requires administrator privileges plus a password argument (startkey) to run.
- Phase 2 drops the driver, then uses multiple techniques to keep security tools disabled (terminate processes, disable services, unload drivers).
- Sophos notes ongoing driver-based defense evasion trends and provides detection guidance and mitigation steps.
MITRE Techniques
- [T1543.003] Windows Service – AuKill installs itself as a service and starts it, enabling persistence and execution. “The AuKill installer also drops an executable copy of itself to either the System32 or the TEMP directory, which it runs as a service.”
- [T1134.001] Access Token Manipulation – Elevation to SYSTEM by impersonating the security context of TrustedInstaller.exe and using token duplication. “It duplicates the token of TrustedInstaller.exe using the DuplicateTokenW … to elevate itself to SYSTEM.”
- [T1562.001] Impair Defenses – TerminateViaProcexp – uses IOCTL_CLOSE_HANDLE to close target process handles via procexp.sys to terminate processes. “AuKill sends IO control code IOCTL_CLOSE_HANDLE to procexp.sys to close the process handle.”
- [T1562.001] Impair Defenses – DisableServices – disables security-related services by calling ChangeServiceConfigW with SERVICE_DISABLED.
- [T1562.001] Impair Defenses – UnloadDriver – unloads drivers (e.g., NtUnloadDriver) and deletes related registry keys to remove driver components.
Indicators of Compromise
- [File Hash] f7b0369169dff3f10e974b9a10ec15f7a81dec54, 23b531ae8ca72420c5b21b1a68ff85524f36203a and 4 more hashes – compiled AuKill variants observed with timestamps and targeted vendors.
- [File Hash] 7f93f934b570c8168940715b1d9836721021fd41, ff11360f6ad22ba2629489ac286b6fdf4190846e – additional AuKill samples linked to versions V3–V4.
- [File name] PROCEXP.SYS – the dropped driver used to interact with kernel processes, placed in System32drivers.
- [File name] WindowsKernelExplorer.sys – fallback driver referenced as a potential alternative in the debug version.
- [File path] C:WindowsSystem32driversPROCEXP.SYS – location where the malicious driver is dropped.
- [Command-line argument] startkey – required first argument to run the tool, used as a password/keyword check.
Read more: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/