AuKill
AuKill is a Windows defense-evasion / EDR-killer malware tool that uses a BYOVD technique to disable endpoint security products prior to follow-on payload deployment. Sophos X-Ops reported that it abuses an outdated Microsoft-signed Process Explorer driver from Process Explorer version 16.32 to terminate or otherwise disable EDR processes. The tool drops the vulnerable driver as PROCEXP.SYS into C:\Windows\System32\drivers, drops a copy of itself into System32 or TEMP, and runs as a service. It requires administrative privileges and does not itself provide privilege escalation; if not already running as SYSTEM, it attempts to relaunch itself as SYSTEM by impersonating TrustedInstaller.exe after starting the Trusted Installer service and duplicating its token. AuKill expects a command-line keyword with the first argument set to "startkey" and validates it via a simple arithmetic check against the hardcoded value 57502 (0xE09E). Once active, it continuously monitors for targeted security processes and services and repeatedly disables or terminates them to prevent restart; at least one variant can also unload targeted drivers via NtUnloadDriver and delete their registry service keys. Sophos reported that AuKill can terminate targeted processes by sending the IOCTL_CLOSE_HANDLE control code to the vulnerable Process Explorer driver. Sophos identified six variants compiled between 2022-11-13 and 2023-02-11, with different target sets including Sophos components, ElasticSearch, Microsoft components, Splashtop remote access tools, and Aladdin HASP Software. The malware shows strong code and behavioral similarities to the open-source Backstab tool, which previously published the same Process Explorer driver abuse technique. AuKill has been observed in multiple ransomware incidents, including use before Medusa Locker deployment in January and February 2023 and before LockBit deployment in February 2023; later reporting also states Medusa Locker and LockBit used it in attacks and that ransomware affiliates used it to shut down security products before deploying ransomware or backdoors. Sophos detects AuKill as ATK/BackStab-D. The abused driver procexp.sys / PROCEXP.SYS is widely documented as vulnerable and has been recommended for blocking by defenders.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
3 techniquesDescription Generated datasets for Windows AuKill Indicators - Registry in attack range. MITRE ATT&CK Techniques Environment Details Datasets The following datasets were collected during this attack simulation: Snapattack Path: /datasets/attack_techniques/T1112/snapattack/snaattack.log
For each service name in the list, AuKill checks if it exists, and if it does, disables it by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.
Privilege Escalation
4 techniquesBYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges.
Then it duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW to elevate itself to SYSTEM once the process restarts.
For each service name in the list, AuKill checks if it exists, and if it does, disables it by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.
Stealth
4 techniques“This tool has been found in the wild as a packed payload… analysis of the associated private packer… ‘PackXOR’… The aim of packing is to hinder the work of malware analysts and antivirus/EDR software, by concealing payloads and delaying their detection.”
First, they tried to load the Zemana Anti-Logger driver, masquerading as updatedrv.sys, from different locations
For each driver name, AuKill tries to unload it via calling NtUnloadDriver and deleting the corresponding registry key in the hive System\CurrentControlSet\Services\[DRIVER_NAME].
Defense Impairment
2 techniquesDescription Generated datasets for Windows AuKill Indicators - Registry in attack range. MITRE ATT&CK Techniques Environment Details Datasets The following datasets were collected during this attack simulation: Snapattack Path: /datasets/attack_techniques/T1112/snapattack/snaattack.log
脆弱な署名済みドライバを武器化し ... Process Explorer(ProcExp)ドライバ(Microsoft署名済み)を悪用
Impact
1 techniqueIf a process name is included in the list, AuKill sends IO control code IOCTL_CLOSE_HANDLE to procexp.sys to close the process handle. This results in terminating the targeted process.
Other
2 techniquesIOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware referenced as abusing the Process Explorer driver to kill or bypass EDR protections.
Process Explorerの正規ドライバを悪用してEDR/セキュリティ製品を停止させるEDR Killerマルウェア。ランサムウェア展開前の防御無効化に使われる。
BYOVD-associated defense-evasion tool referenced as commonly used by ransomware groups to disable security products prior to encryption.
Standalone defense-evasion tool used to terminate/disable endpoint security (EDR/AV) processes to facilitate follow-on payload deployment (including ransomware).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.