Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules

new: PUA - Kernel Driver Utility (KDU) Execution
new: Devcon Execution Disabling VMware VMCI Device

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-23T03:54:56.824925Z"
+        }
+      },
+      "EventRecordID": 23370,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-23 03:54:56.816",
+      "ProcessGuid": "0197231E-F110-6972-3D16-000000000800",
+      "ProcessId": 12132,
+      "Image": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\devcon.exe",
+      "FileVersion": "10.0.26100.6584 (WinBuild.160101.0800)",
+      "Description": "Device Console",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "DevCon.exe",
+      "CommandLine": "devcon.exe  disable \"ROOT\\VMWVMCIHOSTDEV\"",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=36A56121DBE964347C859F95E996B26F,SHA256=282FF232C35FCB82DAD2FDAE56C775523409494B175A5A83D7441B5FA65CB3F9,IMPHASH=A0225EB3236EA941773B705076ADA2AF",
+      "ParentProcessGuid": "0197231E-F0B6-6972-3816-000000000800",
+      "ParentProcessId": 4244,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml

@@ -0,0 +1,13 @@
+id: 00d836cd-522f-41c8-b6a5-e1bf5d1d388d
+description: N/A
+date: 2026-01-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
+      title: Devcon Execution Disabling VMware VMCI Device
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx

regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-23T04:01:30.178887Z"
+        }
+      },
+      "EventRecordID": 23388,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-23 04:01:30.177",
+      "ProcessGuid": "0197231E-F29A-6972-6716-000000000800",
+      "ProcessId": 12200,
+      "Image": "C:\\Users\\xodih\\Downloads\\kdu.exe",
+      "FileVersion": "1.1.1.2105",
+      "Description": "Kernel Driver Utility",
+      "Product": "KDU",
+      "Company": "UG North",
+      "OriginalFileName": "Hamakaze.exe",
+      "CommandLine": "\"C:\\Users\\xodih\\Downloads\\kdu.exe\"  -prv 1 -map MyDriver.sys",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000",
+      "LogonId": "0x317fb",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=8ED32ACE2FBCE50296D3A1A16D963BA7,SHA256=5A08ECB2FAD5D5C701B4EC42BD0FAB7B7B4616673B2D8FBD76557203C5340A0F,IMPHASH=404E2902C47CF33EE0616252BFBCF67B",
+      "ParentProcessGuid": "0197231E-F25A-6972-5F16-000000000800",
+      "ParentProcessId": 13764,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml

@@ -0,0 +1,13 @@
+id: 199a332f-7017-4afa-81a4-407fb5cc345d
+description: N/A
+date: 2026-01-23
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: e76ca062-4de0-4d79-8d90-160a0d335eca
+      title: PUA - Kernel Driver Utility (KDU) Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx

rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml

@@ -0,0 +1,39 @@
+title: Devcon Execution Disabling VMware VMCI Device
+id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
+status: experimental
+description: |
+    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
+    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
+    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
+references:
+    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
+    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
+    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
+    - https://huntress.com/blog/esxi-vm-escape-exploit
+author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+date: 2026-01-02
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1543.003
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\devcon.exe'
+        - OriginalFileName: 'DevCon.exe'
+    selection_action:
+        CommandLine|contains: ' disable '
+    selection_vmci_pci:
+        CommandLine|contains:
+            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
+            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
+    condition: all of selection_*
+falsepositives:
+    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
+    - Automated scripts in virtualized environments for device cleanup.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml

rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml

@@ -0,0 +1,36 @@
+title: PUA - Kernel Driver Utility (KDU) Execution
+id: e76ca062-4de0-4d79-8d90-160a0d335eca
+status: experimental
+description: |
+    Detects execution of the Kernel Driver Utility (KDU) tool.
+    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
+    Potentially allowing for privilege escalation, persistence, or evasion of security controls.
+references:
+    - https://github.com/h4rmy/KDU
+    - https://huntress.com/blog/esxi-vm-escape-exploit
+author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+date: 2026-01-02
+tags:
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\kdu.exe'
+              - '\hamakaze.exe'
+        - OriginalFileName: 'hamakaze.exe'
+    selection_cli_suspicious:
+        CommandLine|contains:
+            - '-map ' # map driver to the kernel and execute it entry point
+            - '-prv ' # optional, select vulnerability driver provider
+            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
+            - '-ps ' #  modify process object of given ProcessID;
+    condition: all of selection_*
+falsepositives:
+    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml