Bring your own vulnerable driver (BYOVD) technique allows bypassing AV or EDR

Threat actors increasingly rely on exploitable drivers to bypass security measures. Drivers are low-level system components that provide access to important security structures stored in kernel memory. Before allowing kernel-mode drivers to work, Windows uses a security technique called Driver Signature Enforcement. This mechanism ensures that the drivers have been digitally signed by a legitimate code signing authority before Windows allows the drivers to work. This signature acts as a trust mark to validate the authenticity of the program and protect the user’s system from potential vulnerabilities.

To circumvent this security precaution, attackers must devise a method to acquire a malicious driver certified by a trusted certificate or participate in a BYOVD attack, where they exploit a legitimate commercial software driver to achieve their goal. Both options are very difficult to do. Rather, the malware uses a genuine driver that is out of date and can be exploited. The common name for this type of attack is a bring your own vulnerable driver (BYOVD) attack.

In this particular case, the attackers made use of a driver that was not only developed by Microsoft but also signed by the company. The Sysinternals team has developed a set of administrative tools, one of which is called the Process Explorer driver. This controller has a number of functions that allow users to interact with processes that are currently active.

Sophos X-Ops has carried out a investigation about many incidents over the course of the past few months, all of which involved attackers attempting to disable EDR clients using a new defensive evasion technique we’ve dubbed AuKill. To disable EDR processes on the target machine before installing a backdoor or ransomware, the AuKill program uses an older version of the driver that uses version 16.32 of the Microsoft application known as Process Explorer.

Since early 2023, the tool has been used on at least three instances of ransomware to thwart target protection and install ransomware. These events are as follows: in January and February, attackers used the program after delivering the ransomware known as Medusa Locker; in February, an attacker used AuKill just before releasing the malware known as Lockbit.

A driver named PROCEXP.SYS is placed in the C:WindowsSystem32drivers directory when AuKill is used. This driver is from the 16.32 release version of Process Explorer. The official Process Explorer driver has the filename PROCEXP152.sys and is often located in the same directory as the fake driver. Both drivers can be installed on a computer at the same time if that computer is running a copy of Process Explorer. In addition, the AuKill installer will place an executable version of itself in the System32 or TEMP directory, where it will automatically run as a background service.

For example, user-mode programs can send the I/O control code IOCTL_CLOSE_HANDLE to the driver, which tells the driver to close a protected process handle, ultimately resulting in the termination of the process.

For an attacker to successfully exploit this process, administrator rights are required on the target machine. When an attacker manages to gain administrator rights, it usually indicates that the attacker now has full control over the computer.

To get beyond these security measures, attackers need to go one step further and start a driver while in kernel mode. In this case, AuKill circumvents these security measures by exploiting a valid driver that Process Explorer uses.
In most cases, an EDR client is made up of several different parties that cooperate with each other. An example of a component is a currently running process or an already installed service, each of which has its own set of capabilities. Therefore, in the event that one freezes or shuts down, it often resumes as quickly as possible.

AuKill starts multiple threads to ensure that EDR processes and services are not reactivated, helping to prevent these components from having to be restarted. Each thread focuses on a particular component and continually checks whether the processes or services it targets are active. AuKill will disable or cancel it if any of them are, if any of them are.
The practice of disabling EDR clients through the use of drivers, whether said drivers are valid but misused for malicious purposes (BYOVD) or issued by a certificate that was stolen or leaked, is still common among adversaries who want to disable systems. of protection.

Over the past year, members of the security community have documented many situations where drivers have been used as weapons for nefarious reasons. The discovery of such a tool lends credence to the theory that adversaries are continually working to arm drivers.

Cyber ​​security enthusiast. Information security specialist, currently working as a risk infrastructure specialist and researcher.
Experience in risk and control processes, security audit support, COB (business continuity) design and support, work group management and information security standards.

Send news tips to [email protected] or www.instagram.com/iicsorg/.

You can also find us on Telegram www.t.me/noticiasciberseguridad