Researchers at Sophos report seeing attackers using an outdated version of a Windows Process Explorer driver (v16.32) to disable EDR processes before dropping their ransomware on the target system.
Dubbed AuKill, the attack uses the Windows Process Explorer’s ability to collect information on active processes to see if Windows Trusted Installer is running. If it is not, it starts the service, duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW, elevating itself to SYSTEM on restart of the process.
To kill active defender products, Aukill starts multiple threads searching for defense products listed on a hard coded list it has and if it finds them disables them by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.
“The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and deploy the ransomware: In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware,” the report said.
Roy Akerman, Co-Founder & CEO, Rezonate had this to say:
“An endpoint agent, which for the most part operates in the kernel space, is traditionally used for AV/NGAV solutions as well as that of more advanced EDR tools and is not tamper-proof. It is based in the root of a layered defense approach where additional controls must always be in place across the identity-network-endpoint triad.
“This is a technique we’ve seen quite often coming from sophisticated nation state adversaries, that either leverage a technique such as the one mentioned of WPE Processor exploitation, a targeted zero-day exploit, or even a supply chain risk as we’ve seen with the likes of SolarWinds earlier this year. Despite continuous investment trying to strengthen agent tampering, we keep on seeing new exploits in the wild and there will continue to be with Windows OS as the main target.”
This is a very good reminder to keep your Windows systems fully patched. While that won’t stop every attack, it will stop a lot of them. And that’s not a bad thing.
Like this:
Like Loading...
Related
This entry was posted on April 21, 2023 at 8:44 am and is filed under Commentary with tags Sophos. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers Disable EDR Clients With A New Evasion Tool Dubbed AuKill
Researchers at Sophos report seeing attackers using an outdated version of a Windows Process Explorer driver (v16.32) to disable EDR processes before dropping their ransomware on the target system.
Dubbed AuKill, the attack uses the Windows Process Explorer’s ability to collect information on active processes to see if Windows Trusted Installer is running. If it is not, it starts the service, duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW, elevating itself to SYSTEM on restart of the process.
To kill active defender products, Aukill starts multiple threads searching for defense products listed on a hard coded list it has and if it finds them disables them by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.
“The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and deploy the ransomware: In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware,” the report said.
Roy Akerman, Co-Founder & CEO, Rezonate had this to say:
“An endpoint agent, which for the most part operates in the kernel space, is traditionally used for AV/NGAV solutions as well as that of more advanced EDR tools and is not tamper-proof. It is based in the root of a layered defense approach where additional controls must always be in place across the identity-network-endpoint triad.
“This is a technique we’ve seen quite often coming from sophisticated nation state adversaries, that either leverage a technique such as the one mentioned of WPE Processor exploitation, a targeted zero-day exploit, or even a supply chain risk as we’ve seen with the likes of SolarWinds earlier this year. Despite continuous investment trying to strengthen agent tampering, we keep on seeing new exploits in the wild and there will continue to be with Windows OS as the main target.”
This is a very good reminder to keep your Windows systems fully patched. While that won’t stop every attack, it will stop a lot of them. And that’s not a bad thing.
Share this:
Like this:
Related
This entry was posted on April 21, 2023 at 8:44 am and is filed under Commentary with tags Sophos. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.