title: Windows Kernel Debugger Execution
id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
status: test
description: Detects execution of the Windows Kernel Debugger "kd.exe".
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-04-24
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\kd.exe'
        - OriginalFileName: 'kd.exe'
    condition: selection
falsepositives:
    - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
level: medium