Executive Summary
On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on a client in the home improvement business. The attack utilized the AuKill malware to disable the client’s EDR solution, SentinelOne, on their print server. AuKill is a sophisticated malware designed to target and neutralize specific EDR solutions. It is often used by ransomware groups to bypass security measures and spread ransomware variants. In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. AT&T MXDR found no evidence of data exfiltration or encryption, but the client chose to rebuild the print server as a precautionary measure. This study provides a detailed analysis of the attack and offers recommendations to mitigate the risk of future attacks.
Investigating the First Phase of the Attack
The attackers initially targeted the print server, mistaking it for a Domain Controller. They gained local administrator credentials through brute force and made unauthorized registry changes. The attackers established a beachhead by using a folder named “UsersAdministratorMusicaSentinel” as a staging area for their attack. They utilized the AuKill malware, which operates through Windows services, to disable SentinelOne. The attackers also used the PCHunter utility for network reconnaissance and deleted shadow volume copies to prevent data recovery.
Bypassing Native Windows Protection
Despite gaining administrator rights, the attackers needed kernel-level access to disable SentinelOne. They achieved this by dropping a vulnerable driver named PROCEXP.SYS, replacing the legitimate driver PROCEXP152.sys. The vulnerable driver bypassed Windows’ Driver Signature Enforcement security feature and allowed the attackers to gain kernel-level access. With kernel-level access, the attackers were able to kill SentinelOne and prevent it from functioning.
Response
AT&T MXDR responded quickly to the attack, notifying the client and advising them to isolate the compromised asset. The team confirmed that no sensitive information was exfiltrated or encrypted. The client chose to rebuild the print server and reinstall SentinelOne to strengthen their security measures.
Recommendations
To mitigate the risk of future attacks, AT&T MXDR recommends blacklisting outdated drivers with a history of exploitation. Clients should maintain an inventory of their system’s drivers and ensure they are up-to-date and secure. Additionally, bolstering the security of administrator accounts can help defend against brute force attacks. These measures can help prevent BYOVD attacks and enhance overall security.