- #PROCESS EXPLORER DRIVERS#
- #PROCESS EXPLORER DRIVER#
- #PROCESS EXPLORER SOFTWARE#
- #PROCESS EXPLORER CODE#
#PROCESS EXPLORER DRIVERS#
Both drivers can be present on a machine that has a copy of Process Explorer running.
#PROCESS EXPLORER DRIVER#
The legitimate Process Explorer driver is named PROCEXP152.sys, and normally is found in the same location. The Process Explorer driver, part of their suite of administration tools produced by the Sysinternals team, implements a variety of features to interact with running processes.ĪuKill drops a driver named PROCEXP.SYS (from the release version 16.32 of process Explorer) into the C:\Windows\System32\drivers path. In this case, the attackers took advantage of a driver both created by and signed by Microsoft.
#PROCESS EXPLORER SOFTWARE#
To get around this security measure, adversaries need to either contrive a way to get a malicious driver signed by a trusted certificate (like we discussed in our December research), or (as is more common) abuse a legitimate commercial software driver to reach their goal, in a BYOVD attack. This signature serves as a sign of trust to verify the identity of the software and to protect a user’s system.
#PROCESS EXPLORER CODE#
As a security mechanism, Windows by default employs a feature called Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before Windows will permit them to run. Drivers are low-level system components that can access critical security structures in kernel memory. Threat actors increasingly have been relying on abusable drivers to disable security tools. Sophos believes the author of AuKill used multiple code snippets from, and built their malware around, the core technique introduced by Backstab. AuKill entries (highlighted) in the list of Windows Services Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic to interact with the driver. We have found multiple similarities between the open-source tool Backstab and AuKill. Through analysis and threat hunting, Sophos has collected six different variants of the AuKill malware. Three months later, Sentinel One published a report about a tool they called MalVirt, which uses the same Process Explorer driver to disable security products before deploying the final payload on the target machine.
Last November, for example, Sophos X-Ops reported that a threat actor working for the LockBit ransomware group used Backstab to disable EDR processes on an infected machine. In fact, Sophos and other security vendors have previously reported on multiple incidents where either Backstab, or a version of this driver, was used for malicious purposes. The method of abusing the Process Explorer driver to bypass EDR systems isn’t new it was implemented in the open-source tool Backstab, first published in June 2021. This technique is commonly referred to as a “bring your own vulnerable driver” (BYOVD) attack. In contrast, the AuKill tool abused a legitimate, but out-of-date and exploitable, driver. In December 2022, Sophos, Microsoft, Mandiant, and SentinelOne reported that a number of attackers had used custom-built drivers to disable EDR products. This is not the first time we and other vendors reported on multiple threat groups simultaneously deploying software designed to kill EDR agents that protect computers.
The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and deploy the ransomware: In January and February, attackers deployed Medusa Locker ransomware after using the tool in February, an attacker used AuKill just prior to deploying Lockbit ransomware. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill.
0 kommentar(er)
