Execution via Windows Command Debugging Utility

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/24"
 3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks
13for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Execution via Windows Command Debugging Utility"
20references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"]
21risk_score = 47
22rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = [
33    "Domain: Endpoint",
34    "OS: Windows",
35    "Use Case: Threat Detection",
36    "Tactic: Defense Evasion",
37    "Data Source: Elastic Endgame",
38    "Data Source: Elastic Defend",
39    "Data Source: Sysmon",
40    "Data Source: SentinelOne",
41    "Data Source: Microsoft Defender for Endpoint"
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47process where host.os.type == "windows" and event.type == "start" and
48 (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and
49  process.args : ("-cf", "-c", "-pd") and
50  not process.executable : ("?:\\Program Files (x86)\\*\\cdb.exe", "?:\\Program Files\\*\\cdb.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1218"
58name = "System Binary Proxy Execution"
59reference = "https://attack.mitre.org/techniques/T1218/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"

References

  • Cdb on LOLBAS

    Cdb.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top