Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Sigma rule (View on GitHub)
1title: Windows Kernel Debugger Execution
2id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
3status: test
4description: Detects execution of the Windows Kernel Debugger "kd.exe".
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9modified: 2024/04/24
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\kd.exe'
19 - OriginalFileName: 'kd.exe'
20 condition: selection
21falsepositives:
22 - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
23level: medium
References
Related rules
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- HackTool - CoercedPotato Execution
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- LiveKD Kernel Memory Dump File Created