NtKiller: The Underground Tool Designed to Kill EDR Before Attacks Even Begin

Aegiron 9 mins0

In late 2025, references to a Windows tool called NtKiller began circulating on underground forums. It is being marketed as an antivirus and EDR disabler, aimed squarely at attackers who want to neutralize endpoint protection before deploying ransomware, backdoors, or hands-on-keyboard activity.

At the time of writing, NtKiller has not been publicly tied to a named intrusion campaign, and there are no verified malware samples or hashes attributed to it. That does not make it irrelevant. Quite the opposite. Tools like this usually appear in underground markets before defenders start seeing them at scale.

NtKiller fits into a very real and well-documented category of tooling: EDR killers.

Why NtKiller Deserves Attention

Even without confirmed samples, NtKiller matters for a few reasons:

  • Endpoint defense evasion is now a standard phase of modern intrusions
  • Ransomware groups routinely disable EDR before lateral movement or encryption
  • Similar tools have already been used successfully in real-world attacks
  • Underground commercialization lowers the skill barrier for attackers

In other words, NtKiller is not a novelty — it is a sign that this capability is becoming more accessible.

Advertised Capabilities (as Seen in Underground Listings)

NtKiller is marketed as a modular Windows utility with the following claimed features:

  • Termination or disabling of major AV and EDR products
  • Ability to function on systems with:
    • Virtualization-Based Security (VBS)
    • Hypervisor-Protected Code Integrity (HVCI)
    • Memory Integrity enabled
  • Optional kernel-level components for stealth
  • UAC bypass to gain elevated privileges
  • Anti-analysis and anti-debugging logic

These claims should be treated cautiously, but none are technically unrealistic. Every one of these techniques has been observed independently in past attacks.

Likely Technical Architecture

Based on known EDR-killer implementations, NtKiller or similar tools would likely operate in stages.

User-Mode Stage

  • Enumerates installed security products
  • Identifies associated services and processes
  • Attempts to stop or kill them using native Windows APIs
  • Common tools abused:
    • sc.exe
    • net.exe
    • taskkill.exe
    • PowerShell Stop-Service and related cmdlets

Privilege Escalation / UAC Bypass

  • Required if the tool does not start elevated
  • Likely methods:
    • Auto-elevating COM objects
    • Scheduled task abuse
    • Trusted Windows binaries with elevated execution

Kernel-Mode Stage (Most Dangerous)

  • Likely uses Bring Your Own Vulnerable Driver (BYOVD)
  • Loads a signed but vulnerable .sys driver
  • Gains kernel execution
  • Disables or interferes with:
    • EDR kernel callbacks
    • Driver notifications
    • Telemetry collection

Persistence

  • Kernel driver registered as a service
  • Early boot start configuration
  • Fallback persistence via scheduled tasks or registry autoruns

Indicators of Compromise

There are no confirmed hashes or C2 domains, so detection must be behavior-based. Below are high-confidence indicators defenders should monitor.

File System IOCs

  • New or modified files in: C:\Windows\System32\drivers\
  • Suspicious .sys files with:
    • Random or generic names
    • Recent creation timestamps
    • Signatures from unknown or unexpected certificate authorities
  • Driver creation outside OS update or software install windows

Registry IOCs

  • New keys under: HKLM\SYSTEM\CurrentControlSet\Services\
  • Service entries pointing to newly created .sys files
  • Services configured with:
    • Start = 0 (Boot)
    • Start = 1 (System)
  • Registry changes closely following AV/EDR disruption

Process & Command-Line IOCs

Watch for the following commands targeting security products:

  • sc stop <security_service>
  • sc delete <security_service>
  • net stop <security_service>
  • taskkill /F /IM <edr_process>
  • PowerShell:
    • Stop-Service
    • Set-MpPreference
    • Remove-MpPreference

High-risk patterns:

  • Office applications or script hosts spawning sc.exe or taskkill.exe
  • Installers or updaters stopping security services
  • Chained execution of service stops followed by driver installation

EDR / AV Telemetry IOCs

  • Tamper protection alerts
  • Sudden EDR agent shutdowns
  • Loss of endpoint heartbeat
  • Defender or EDR services stopping unexpectedly
  • Agent update failures immediately before telemetry loss

Kernel / BYOVD Indicators

  • Loading of signed but vulnerable drivers
  • Driver load events immediately before EDR failure
  • Drivers with valid signatures that do not match baseline inventories

Detection Ideas for SOC Teams

You can translate these directly into SIEM or EDR detections.

High-Confidence Alert Logic

  • AV/EDR service stopped
  • Followed within minutes by:
    • New .sys file creation
    • New service registration
    • System reboot or driver load

Suspicious Sequence to Flag

  1. Security service termination
  2. Privileged command execution
  3. Driver installation
  4. Loss of endpoint telemetry

This sequence should be treated as an active intrusion, not a false positive.

Incident Response Guidance

If NtKiller-like behavior is suspected:

  • Isolate the endpoint immediately
  • Do not attempt live cleanup first
  • Preserve memory if possible
  • Collect:
    • Loaded drivers
    • Service configurations
    • Scheduled tasks
    • EDR and Windows logs
  • Assume kernel compromise if a malicious driver is confirmed
  • Rebuild the system rather than attempting partial remediation

Once kernel integrity is lost, the system cannot be trusted.

Defensive Recommendations

To reduce exposure to this class of threat:

  • Enforce strict driver signing and block known vulnerable drivers
  • Enable Secure Boot, VBS, and HVCI where compatible
  • Enable and lock EDR tamper protection
  • Centralize logging so attackers cannot blind detection by killing agents
  • Monitor for driver creation and service manipulation events
  • Treat any attempt to disable endpoint protection as a high-severity incident

Final Thoughts

NtKiller itself may or may not become widely used under that name. That is not the important part. What matters is the continued investment by attackers in tools designed to defeat endpoint defenses before doing anything else.

If your detection strategy relies mainly on malware signatures and known hashes, tools like this will slip through. Behavioral detection, kernel visibility, and response discipline are the only reliable defenses against this category of threat.

For threat hunting guide Please click: https://cyberp1.com/the-kill-switch-phase-how-attackers-disable-edr-and-how-to-catch-them-in-time/

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.