Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Sigma rule (View on GitHub)
1title: Windows Kernel Debugger Execution
2id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
3status: test
4description: Detects execution of the Windows Kernel Debugger "kd.exe".
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\kd.exe'
18 - OriginalFileName: 'kd.exe'
19 condition: selection
20falsepositives:
21 - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
22level: high
References
Related rules
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- LiveKD Kernel Memory Dump File Created
- PUA - System Informer Execution
- Potential Chrome Frame Helper DLL Sideloading