Execution via Windows Command Debugging Utility

calendar Nov 7, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Data Source: Crowdstrike  ·
Share on: linkedin copy

An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/24"
 3integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/11/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks
13for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.
14"""
15from = "now-9m"
16index = [
17  "logs-endpoint.events.process-*",
18  "logs-windows.sysmon_operational-*",
19  "endgame-*",
20  "logs-sentinel_one_cloud_funnel.*",
21  "logs-m365_defender.event-*",
22  "logs-system.security-*",
23  "logs-crowdstrike.fdr*"
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Execution via Windows Command Debugging Utility"
28references = ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"]
29risk_score = 47
30rule_id = "bdfaddc4-4438-48b4-bc43-9f5cf8151c46"
31severity = "medium"
32tags = [
33    "Domain: Endpoint",
34    "OS: Windows",
35    "Use Case: Threat Detection",
36    "Tactic: Defense Evasion",
37    "Data Source: Elastic Endgame",
38    "Data Source: Elastic Defend",
39    "Data Source: Sysmon",
40    "Data Source: SentinelOne",
41    "Data Source: Microsoft Defender for Endpoint",
42    "Data Source: Crowdstrike"
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.type == "start" and
49 (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and
50  process.args : ("-cf", "-c", "-pd") and
51  not process.executable : (
52        "?:\\Program Files (x86)\\*\\cdb.exe",
53        "?:\\Program Files\\*\\cdb.exe",
54        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe",
55        "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe"
56  )
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1218"
64name = "System Binary Proxy Execution"
65reference = "https://attack.mitre.org/techniques/T1218/"
66
67
68
69[rule.threat.tactic]
70id = "TA0005"
71name = "Defense Evasion"
72reference = "https://attack.mitre.org/tactics/TA0005/"

References

  • Cdb on LOLBAS

    Cdb.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top