Windows Kernel Debugger Execution

Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation ·

Detects execution of the Windows Kernel Debugger "kd.exe".

Sigma rule (View on GitHub)

 1title: Windows Kernel Debugger Execution
 2id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
 3status: test
 4description: Detects execution of the Windows Kernel Debugger "kd.exe".
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-15
 9modified: 2024-04-24
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\kd.exe'
19        - OriginalFileName: 'kd.exe'
20    condition: selection
21falsepositives:
22    - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
23level: medium

References

Internal Research

Read More

Related rules

APT PRIVATELOG Image Load Pattern
Abuse of Service Permissions to Hide Services Via Set-Service
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Account Tampering - Suspicious Failed Logon Reasons
Activity From Anonymous IP Address