Security researchers have discovered a new tool that threat actors are using to disable endpoint detection and response (EDR) software. The tool, dubbed AuKill, is a Bring Your Own Vulnerable Driver (BYOVD) attack that abuses an outdated version of the driver used by the Microsoft utility Process Explorer. AuKill is designed to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run. The AuKill tool requires administrative privileges to work, but the researchers noted that the threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means. The researchers said that the AuKill tool has been used since the start of 2023 to deploy various ransomware strains, such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date.
top of page
bottom of page