Security News > 2023 > April > If you haven't patched Microsoft Process Explorer, prepare to be pwned

The hacking tool, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where threat gangs either abuse a legitimate commercial driver to get past endpoint detection and response software on the systems - the so-called bring-your-own-vulnerable-driver attack - or work to get a malicious driver digitally signed by a trusted certificate.

As part of the research, Microsoft suspended various third-party developers of malicious Windows drivers and revoked certificates that were used to sign the drivers.

The AuKill tool, which abuses the outdated 16.32 version of Microsoft's Process Explorer driver to disable the EDR processes, was used in at least three ransomware attacks since the start of the year.

Sophos notified Microsoft about the abuse of the outdated Process Explorer driver.

Three months later, SentinelOne researchers wrote about MalVirt, a tool that used the same Process Explorer driver.

It drops the older driver into the system's Windows OS, where it can sit with the newer Process Explorer driver already in the system.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/24/microsoft_driver_aukill_ransomware/