Windows Kernel Debugger Execution

Apr 1, 2024 · attack.defense_evasion attack.privilege_escalation ·

Detects execution of the Windows Kernel Debugger "kd.exe".

Sigma rule (View on GitHub)

 1title: Windows Kernel Debugger Execution
 2id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
 3status: test
 4description: Detects execution of the Windows Kernel Debugger "kd.exe".
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/15
 9tags:
10    - attack.defense_evasion
11    - attack.privilege_escalation
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        - Image|endswith: '\kd.exe'
18        - OriginalFileName: 'kd.exe'
19    condition: selection
20falsepositives:
21    - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
22level: high

References

Internal Research

Read More

Related rules

LiveKD Driver Creation
LiveKD Driver Creation By Uncommon Process
LiveKD Kernel Memory Dump File Created
PUA - System Informer Execution
Potential Chrome Frame Helper DLL Sideloading