Skip Navigation

April 28, 2023 |

AuKill: Protecting against BYOVD attacks on EDR software

Loading table of contents...

On April 24, 2023, an article released on Hacker News revealed evidence that ransomware threat actors were using a previously unseen tool to disable Endpoint Detection and Response (EDR) software products.

This new tool, dubbed AuKill, uses a technique known as Bring Your Own Vulnerable Driver (BYOVD) to disable security software and leave the computer defenseless.

The good news is that cybersecurity solutions with advanced monitoring capabilities like Covalence can stop this attack in its initial stages.

Here’s a quick look at what you need to know about BYOVD attacks.

What are BYOVD attacks?

A Bring Your Own Vulnerable Driver (BYOVD) attack is a technique used by hackers and cybercriminals where they deliver or upload a legitimate driver file to a victim’s computer and leverage it for nefarious purposes. Although not a new technique, BYOVD attacks can be difficult to detect and defend against.

In this case, the security researchers reported that the ransomware actors uploaded AuKill, which leveraged an outdated Microsoft utility (Process Explorer). When AuKill was executed, it provided the hackers with kernel-level privileges, the highest level available in most operating systems. They used this access to disable the computer’s security software and then proceeded to deploy either a backdoor or ransomware to the victim’s computer.

Why does this matter?

Because they typically leverage legitimately signed operating system files, BYOVD attacks can easily evade detection by anti-virus and SIEM solutions. Once a cybercriminal disables a computer’s security software, they have free reign to conduct further operational activities, such as moving laterally to infect other devices, or encrypting and stealing data.

Driver-based attacks like AuKill have a long history in cybersecurity. The first ones were detected in 2012 and, because of their relative success rates, won't be going away any time soon.

How does Covalence help?

Covalence has leading-edge monitoring capabilities which can detect and block the exploitation of vulnerable drivers. By stopping BYOVD attacks before they start, Covalence helps to defend our customers from sophisticated attacks like the one described in the report.

Covalence also protects vulnerable drivers that can’t be removed from operational systems, without introducing stability issues on the endpoint by forcing the driver to be removed.