Backstab
Backstab is an open-source Windows defense-evasion tool first published in June 2021 that is designed to disable endpoint detection and response (EDR) and other security products. It abuses an outdated, Microsoft-signed Sysinternals Process Explorer driver as a bring-your-own-vulnerable-driver (BYOVD) mechanism to terminate protected security processes; reporting cited in the content notes the technique uses the Process Explorer driver to bypass EDR systems and that similar driver interaction logic and debug strings were later observed in AuKill. Backstab has been reported in malicious use, including incidents previously described by Sophos and other vendors, and was specifically listed by U.S. government and industry reporting as a tool deployed by Black Basta affiliates to disable EDR tooling. The content associates its use with ransomware intrusion activity, including LockBit-affiliated activity and Black Basta operations. High-confidence behavioral details directly supported by the content are that it is used on Windows to impair security controls by abusing the Process Explorer driver to disable or terminate EDR/security processes; Sophos detects related activity under the name ATK/BackStab-D.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The method of abusing the Process Explorer driver to bypass EDR systems isn’t new; it was implemented in the open-source tool Backstab, first published in June 2021. In fact, Sophos and other security vendors have previously reported on multiple incidents where either Backstab, or a version of this driver, was used for malicious purposes.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 techniqueThis technique is commonly referred to as a “bring your own vulnerable driver” (BYOVD) attack.
Defense Impairment
1 technique脆弱な署名済みドライバを武器化し ... Process Explorer(ProcExp)ドライバ(Microsoft署名済み)を悪用
Other
1 techniqueRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named tool listed as part of Black Basta affiliates' toolkit; the content does not describe functionality beyond being used/abused in operations.
An open-source tool that abuses the Process Explorer driver to disable or terminate EDR/security processes. Sophos states AuKill appears to reuse core techniques and code snippets introduced by Backstab.
Custom/third-party tool used to impair defenses by disabling EDR tooling prior to encryption/exfiltration stages.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.