AuKill
AuKill is a Windows defense-evasion malware/tool used to disable endpoint detection and response (EDR) and other security products prior to follow-on payload deployment, including ransomware and backdoors. Sophos X-Ops reported that it abuses an outdated Microsoft-signed Process Explorer driver from Process Explorer version 16.32 in a bring-your-own-vulnerable-driver (BYOVD) technique. The malware drops a driver named PROCEXP.SYS into C:\Windows\System32\drivers, drops a copy of its executable into System32 or the TEMP directory, and runs itself as a service. It requires administrative privileges and does not itself grant initial admin access; if not already running as SYSTEM, it attempts to relaunch with SYSTEM privileges by impersonating TrustedInstaller.exe, including starting the Trusted Installer service, duplicating its token, and using CreateProcessWithTokenW. AuKill requires the first command-line argument to be the keyword "startkey," which it validates via a hardcoded arithmetic check against 57502 (0xE09E). Once active, it continuously monitors for targeted security components using multiple threads, terminates protected processes by sending IOCTL_CLOSE_HANDLE to the vulnerable Process Explorer driver, disables services via ChangeServiceConfigW with SERVICE_DISABLED, and in at least one variant unloads targeted drivers via NtUnloadDriver and deletes related registry service keys under System\CurrentControlSet\Services. Sophos collected six variants, labeled V1 through V6, with compilation timestamps spanning November 2022 to February 2023, and observed variant-specific targeting that included Sophos components as well as Microsoft, Splashtop, ElasticSearch, and Aladdin HASP Software components. Sophos linked AuKill to at least three ransomware incidents in early 2023, including attacks involving Medusa Locker in January and February 2023 and LockBit in February 2023, and other reporting notes its use before ransomware or backdoor deployment. Sophos found strong similarities between AuKill and the open-source Backstab tool, including nearly identical driver-interaction logic and debug strings, and detects AuKill as ATK/BackStab-D. Reporting in the provided content also associates AuKill with FIN7, stating FIN7 developed AuKill, also known as AvNeutralizer, and that it was later offered for sale on criminal marketplaces.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
FIN7 also developed AuKill (also known as AvNeutralizer), a custom EDR evasion utility designed to disable endpoint security solutions, which was later reported to have been offered for sale by the group on criminal marketplaces.
Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
For each driver name, AuKill tries to unload it via calling NtUnloadDriver and deleting the corresponding registry key in the hive System\CurrentControlSet\Services\[DRIVER_NAME].
Privilege Escalation
6 techniques
Privilege Escalation
This technique is commonly referred to as a “bring your own vulnerable driver” (BYOVD) attack.
Then it duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW to elevate itself to SYSTEM once the process restarts.
Then it duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW to elevate itself to SYSTEM once the process restarts.
For each service name in the list, AuKill checks if it exists, and if it does, disables it by calling ChangeServiceConfigW and passing SERVICE_DISABLED for dwStartType.
Stealth
7 techniques
Stealth
“This tool has been found in the wild as a packed payload… analysis of the associated private packer… ‘PackXOR’… The aim of packing is to hinder the work of malware analysts and antivirus/EDR software, by concealing payloads and delaying their detection.”
AuKill drops a driver named PROCEXP.SYS (from the release version 16.32 of process Explorer) into the C:\Windows\System32\drivers path. The legitimate Process Explorer driver is named PROCEXP152.sys, and normally is found in the same location.
For each driver name, AuKill tries to unload it via calling NtUnloadDriver and deleting the corresponding registry key in the hive System\CurrentControlSet\Services\[DRIVER_NAME].
FIN7 also developed AuKill (also known as AvNeutralizer), a custom EDR evasion utility designed to disable endpoint security solutions...
Then it duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW to elevate itself to SYSTEM once the process restarts.
Defense Impairment
2 techniques
Defense Impairment
Discovery
2 techniques
Discovery
Impact
1 technique
Impact
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware referenced as abusing the Process Explorer driver to kill or bypass EDR protections.
Process Explorerの正規ドライバを悪用してEDR/セキュリティ製品を停止させるEDR Killerマルウェア。ランサムウェア展開前の防御無効化に使われる。
BYOVD-associated defense-evasion tool referenced as commonly used by ransomware groups to disable security products prior to encryption.
Standalone defense-evasion tool used to terminate/disable endpoint security (EDR/AV) processes to facilitate follow-on payload deployment (including ransomware).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.