AuKill EDR killer malware abuses Process Explorer driver

Drivers are essential low-level system components that interact with kernel memory to enable hardware and software communication. Due to their access to critical system structures, they play a pivotal role in maintaining security.

Windows Driver Signature Enforcement

Windows employs Driver Signature Enforcement (DSE) as a key security mechanism. This feature ensures that kernel-mode drivers are signed by a valid code signing authority before execution. The signature acts as:

• A verification of trust: Validating the software’s identity.
• A protective measure: Safeguarding the system from malicious drivers.

How Attackers Circumvent Driver Signature Enforcement

Despite its effectiveness, attackers can bypass Driver Signature Enforcement by:

1. Obtaining a legitimate driver’s signature.
2. Exploiting trusted certificates to disguise malicious drivers.

A notable example of such exploitation involves the Process Explorer driver, originally created and signed by Microsoft’s Sysinternals team.

AuKill: Exploiting the Process Explorer Driver

The AuKill malware leverages the Process Explorer driver to bypass security features. Key details include:

Malware Behavior and File Locations

• Dropped driver: PROCEXP.SYS (from Process Explorer version 16.32).
• Legitimate driver: PROCEXP152.sys.
• File paths:
  • Malicious driver: C:\Windows\System32\drivers.
  • Installer: System32 or TEMP directories.

Disabling Protected Processes

Protected processes, such as endpoint security clients, are critical components that attackers target to disable advanced security features.

Steps to Disable Protected Processes

1. Privilege Escalation: Attackers use administrative privileges to execute the driver in kernel mode.
2. IOCTL_CLOSE_HANDLE Code: Commands the driver to terminate protected process handles.
3. Bypassing Additional Protections:
   • Leveraging the Protected Antimalware Services introduced in Windows 8.1.
   • Using legitimate drivers to override safeguards.

Administrative Privileges and Execution Requirements

AuKill’s functionality depends on attackers meeting specific conditions:

1. Administrator Privileges:
   • Attackers must gain these privileges through other exploits.
   • The malware checks for administrator rights before execution.
2. Keyword Requirement:
   • Requires a command-line keyword (startkey) to execute.
   • Validates the keyword using a specific arithmetic calculation.

Keyword Validation Process

• Converts each character to its ASCII value.
• Doubles the value and sums it with the next character.
• Compares the final sum to a hardcoded value (57502 or 0xE09E).

Elevating Privileges Using TrustedInstaller

If not running with SYSTEM privileges, AuKill attempts privilege elevation via TrustedInstaller.exe:

1. Starts Trusted Installer Service.
2. Duplicates TrustedInstaller.exe token using DuplicateTokenW.
3. Elevates process using CreateProcessWithTokenW.

Establishing Persistence and Disabling EDR Clients

To maintain persistence and disrupt security measures, AuKill:

1. Creates a service entry:
   • Copies itself to C:\Windows\System32.
   • Installs and starts itself as a service.
2. Disables Endpoint Detection and Response (EDR):
   • Drops procexp.sys to disk.
   • Prevents EDR processes and services from restarting by:
     • Starting threads targeting different components.
     • Continuously probing and disabling them.

Fallback Mechanism: WindowsKernelExplorer.sys

In some versions, AuKill attempts to load a fallback driver, WindowsKernelExplorer.sys, if it fails to drop and load procexp.sys. However:

• The fallback driver is not embedded in AuKill’s resources.
• It expects the driver to already exist in the System32\drivers folder.

Conclusion: Understanding and Mitigating AuKill’s Threat

The AuKill malware highlights the importance of securing administrative privileges and protecting critical system components like drivers. By exploiting trusted drivers, attackers can bypass advanced security mechanisms, emphasizing the need for robust endpoint protection and continuous monitoring.