Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules

new: PUA - Kernel Driver Utility (KDU) Execution new: Devcon Execution Disabling VMware VMCI Device --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-01-24 05:36:29 -06:00
parent 01b23770b8
commit 30aebbb65c
8 changed files with 233 additions and 0 deletions
@@ -0,0 +1,39 @@
+title: Devcon Execution Disabling VMware VMCI Device
+id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
+status: experimental
+description: |
+    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
+    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
+    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
+references:
+    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
+    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
+    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
+    - https://huntress.com/blog/esxi-vm-escape-exploit
+author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+date: 2026-01-02
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1543.003
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\devcon.exe'
+        - OriginalFileName: 'DevCon.exe'
+    selection_action:
+        CommandLine|contains: ' disable '
+    selection_vmci_pci:
+        CommandLine|contains:
+            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
+            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
+    condition: all of selection_*
+falsepositives:
+    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
+    - Automated scripts in virtualized environments for device cleanup.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml
@@ -0,0 +1,36 @@
+title: PUA - Kernel Driver Utility (KDU) Execution
+id: e76ca062-4de0-4d79-8d90-160a0d335eca
+status: experimental
+description: |
+    Detects execution of the Kernel Driver Utility (KDU) tool.
+    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
+    Potentially allowing for privilege escalation, persistence, or evasion of security controls.
+references:
+    - https://github.com/h4rmy/KDU
+    - https://huntress.com/blog/esxi-vm-escape-exploit
+author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
+date: 2026-01-02
+tags:
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\kdu.exe'
+              - '\hamakaze.exe'
+        - OriginalFileName: 'hamakaze.exe'
+    selection_cli_suspicious:
+        CommandLine|contains:
+            - '-map ' # map driver to the kernel and execute it entry point
+            - '-prv ' # optional, select vulnerability driver provider
+            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
+            - '-ps ' #  modify process object of given ProcessID;
+    condition: all of selection_*
+falsepositives:
+    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml