PUA - Kernel Driver Utility (KDU) Execution

calendar Jan 24, 2026 · attack.persistence attack.privilege-escalation attack.t1543.003  ·
Share on: linkedin copy

Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.

Sigma rule (View on GitHub)

 1title: PUA - Kernel Driver Utility (KDU) Execution
 2id: e76ca062-4de0-4d79-8d90-160a0d335eca
 3status: experimental
 4description: |
 5    Detects execution of the Kernel Driver Utility (KDU) tool.
 6    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
 7    Potentially allowing for privilege escalation, persistence, or evasion of security controls.    
 8references:
 9    - https://github.com/h4rmy/KDU
10    - https://huntress.com/blog/esxi-vm-escape-exploit
11author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
12date: 2026-01-02
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1543.003
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\kdu.exe'
24              - '\hamakaze.exe'
25        - OriginalFileName: 'hamakaze.exe'
26    selection_cli_suspicious:
27        CommandLine|contains:
28            - '-map ' # map driver to the kernel and execute it entry point
29            - '-prv ' # optional, select vulnerability driver provider
30            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
31            - '-ps ' #  modify process object of given ProcessID;
32    condition: all of selection_*
33falsepositives:
34    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
35level: high
36regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml

References

Related rules

to-top