Backstab
Backstab is an open-source Windows defense-evasion tool designed to disable endpoint detection and response (EDR) and other security products. It was first published in June 2021 and implements a bring-your-own-vulnerable-driver-style technique by abusing an outdated Microsoft Sysinternals Process Explorer driver to terminate protected security processes. Reporting cited in the content states the tool was used maliciously to bypass or disable EDR systems, including incidents previously reported by Sophos and use by a LockBit-affiliated threat actor in November 2022. A joint FBI/CISA/HHS/MS-ISAC advisory also lists Backstab among tools abused by Black Basta affiliates to disable EDR tooling. Sophos further identified strong similarities between Backstab and the later AuKill tool, including nearly identical driver-interaction logic and debug strings, and detects related activity as ATK/BackStab-D. High-confidence behavior directly mentioned in the content is that Backstab abuses the Process Explorer driver to disable security processes and EDR protections on Windows systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The method of abusing the Process Explorer driver to bypass EDR systems isn’t new; it was implemented in the open-source tool Backstab, first published in June 2021.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique
Privilege Escalation
The binary will load a vulnerable PROCEXP driver (version 16.32) which is enable user to perform arbitrary file termination by sending a specific IO control code. One of the most important of part is that the vulnerable driver is a Microsoft signed driver which most of the anti-malware products will just ignore it if they didn’t revoke the signed cert in their database.
Defense Impairment
1 technique
Defense Impairment
Impact
1 technique
Impact
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named tool listed as part of Black Basta affiliates' toolkit; the content does not describe functionality beyond being used/abused in operations.
An open-source tool that abuses the Process Explorer driver to disable or terminate EDR/security processes. Sophos states AuKill appears to reuse core techniques and code snippets introduced by Backstab.
An open-source tool that abuses the Process Explorer driver to disable or terminate EDR/security processes. The article states AuKill appears built around the core technique introduced by Backstab.
Custom/third-party tool used to impair defenses by disabling EDR tooling prior to encryption/exfiltration stages.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.