diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx new file mode 100644 index 000000000..85321d3f0 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json new file mode 100644 index 000000000..17eecfa22 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-01-23T03:54:56.824925Z" + } + }, + "EventRecordID": 23370, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-01-23 03:54:56.816", + "ProcessGuid": "0197231E-F110-6972-3D16-000000000800", + "ProcessId": 12132, + "Image": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\devcon.exe", + "FileVersion": "10.0.26100.6584 (WinBuild.160101.0800)", + "Description": "Device Console", + "Product": "Microsoft® Windows® Operating System", + "Company": "Microsoft Corporation", + "OriginalFileName": "DevCon.exe", + "CommandLine": "devcon.exe disable \"ROOT\\VMWVMCIHOSTDEV\"", + "CurrentDirectory": "C:\\Program Files (x86)\\Windows Kits\\10\\Tools\\10.0.26100.0\\x64\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=36A56121DBE964347C859F95E996B26F,SHA256=282FF232C35FCB82DAD2FDAE56C775523409494B175A5A83D7441B5FA65CB3F9,IMPHASH=A0225EB3236EA941773B705076ADA2AF", + "ParentProcessGuid": "0197231E-F0B6-6972-3816-000000000800", + "ParentProcessId": 4244, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml new file mode 100644 index 000000000..de4094479 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml @@ -0,0 +1,13 @@ +id: 00d836cd-522f-41c8-b6a5-e1bf5d1d388d +description: N/A +date: 2026-01-23 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de + title: Devcon Execution Disabling VMware VMCI Device +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx new file mode 100644 index 000000000..5529e233c Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json new file mode 100644 index 000000000..6e8f80ed8 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-01-23T04:01:30.178887Z" + } + }, + "EventRecordID": 23388, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 3208, + "ThreadID": 1724 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-01-23 04:01:30.177", + "ProcessGuid": "0197231E-F29A-6972-6716-000000000800", + "ProcessId": 12200, + "Image": "C:\\Users\\xodih\\Downloads\\kdu.exe", + "FileVersion": "1.1.1.2105", + "Description": "Kernel Driver Utility", + "Product": "KDU", + "Company": "UG North", + "OriginalFileName": "Hamakaze.exe", + "CommandLine": "\"C:\\Users\\xodih\\Downloads\\kdu.exe\" -prv 1 -map MyDriver.sys", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-AB9F-67AA-FB17-030000000000", + "LogonId": "0x317fb", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=8ED32ACE2FBCE50296D3A1A16D963BA7,SHA256=5A08ECB2FAD5D5C701B4EC42BD0FAB7B7B4616673B2D8FBD76557203C5340A0F,IMPHASH=404E2902C47CF33EE0616252BFBCF67B", + "ParentProcessGuid": "0197231E-F25A-6972-5F16-000000000800", + "ParentProcessId": 13764, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml new file mode 100644 index 000000000..7ec194a0c --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml @@ -0,0 +1,13 @@ +id: 199a332f-7017-4afa-81a4-407fb5cc345d +description: N/A +date: 2026-01-23 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: e76ca062-4de0-4d79-8d90-160a0d335eca + title: PUA - Kernel Driver Utility (KDU) Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx diff --git a/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml b/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml new file mode 100644 index 000000000..8e8121e56 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml @@ -0,0 +1,39 @@ +title: Devcon Execution Disabling VMware VMCI Device +id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de +status: experimental +description: | + Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. + This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. + This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host. +references: + - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon + - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060 + - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV + - https://huntress.com/blog/esxi-vm-escape-exploit +author: Matt Anderson, Dray Agha, Anna Pham (Huntress) +date: 2026-01-02 +tags: + - attack.defense-evasion + - attack.persistence + - attack.privilege-escalation + - attack.t1543.003 + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\devcon.exe' + - OriginalFileName: 'DevCon.exe' + selection_action: + CommandLine|contains: ' disable ' + selection_vmci_pci: + CommandLine|contains: + - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI) + - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name + condition: all of selection_* +falsepositives: + - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts. + - Automated scripts in virtualized environments for device cleanup. +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml b/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml new file mode 100644 index 000000000..c6fd41fb6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml @@ -0,0 +1,36 @@ +title: PUA - Kernel Driver Utility (KDU) Execution +id: e76ca062-4de0-4d79-8d90-160a0d335eca +status: experimental +description: | + Detects execution of the Kernel Driver Utility (KDU) tool. + KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. + Potentially allowing for privilege escalation, persistence, or evasion of security controls. +references: + - https://github.com/h4rmy/KDU + - https://huntress.com/blog/esxi-vm-escape-exploit +author: Matt Anderson, Dray Agha, Anna Pham (Huntress) +date: 2026-01-02 +tags: + - attack.persistence + - attack.privilege-escalation + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\kdu.exe' + - '\hamakaze.exe' + - OriginalFileName: 'hamakaze.exe' + selection_cli_suspicious: + CommandLine|contains: + - '-map ' # map driver to the kernel and execute it entry point + - '-prv ' # optional, select vulnerability driver provider + - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable) + - '-ps ' # modify process object of given ProcessID; + condition: all of selection_* +falsepositives: + - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware) +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml