Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
Sigma rule (View on GitHub)
1title: Potential Binary Proxy Execution Via Cdb.EXE
2id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
3status: test
4description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
7 - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
8 - https://twitter.com/nas_bench/status/1534957360032120833
9author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
10date: 2019-10-26
11modified: 2024-04-22
12tags:
13 - attack.execution
14 - attack.t1106
15 - attack.defense-evasion
16 - attack.t1218
17 - attack.t1127
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\cdb.exe'
24 - OriginalFileName: 'CDB.Exe'
25 selection_cli:
26 CommandLine|contains:
27 - ' -c ' # Using a debugger script
28 - ' -cf '
29 condition: all of selection*
30falsepositives:
31 - Legitimate use of debugging tools
32level: medium
References
-
Cdb.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Imagine you’ve gained access to an extremely locked down Windows 10 host running Device Guard . The Device Guard policy is such that all PE...
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center