WinDbg/CDB LOLBIN Usage
Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file
Sigma rule (View on GitHub)
1title: WinDbg/CDB LOLBIN Usage
2id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
3status: test
4description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
7 - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
8 - https://twitter.com/nas_bench/status/1534957360032120833
9author: Beyu Denis, oscd.community, Nasreddine Bencherchali
10date: 2019/10/26
11modified: 2023/01/04
12tags:
13 - attack.execution
14 - attack.t1106
15 - attack.defense_evasion
16 - attack.t1218
17 - attack.t1127
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\cdb.exe'
24 - OriginalFileName: 'CDB.Exe'
25 selection_cli:
26 CommandLine|contains:
27 - ' -c ' # Using a debugger script
28 - ' -cf '
29 condition: all of selection*
30falsepositives:
31 - Legitimate use of debugging tools
32level: medium
References
-
Debugging tool included with Windows Debugging Tools. Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. cdb.exe -cf x64_calc.wds -o notepad.exe Use caseLocal execution of assembly s...
Read More -
Imagine you’ve gained access to an extremely locked down Windows 10 host running Device Guard . The Device Guard policy is such that all PE...
Read More -
Related rules
- Indirect Command Execution By Program Compatibility Wizard
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction
- Custom Class Execution via Xwizard