title: WinDbg/CDB LOLBIN Usage
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
    - https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali
date: 2019/10/26
modified: 2023/01/04
tags:
    - attack.execution
    - attack.t1106
    - attack.defense_evasion
    - attack.t1218
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cdb.exe'
        - OriginalFileName: 'CDB.Exe'
    selection_cli:
        CommandLine|contains:
            - ' -c ' # Using a debugger script
            - ' -cf '
    condition: all of selection*
falsepositives:
    - Legitimate use of debugging tools
level: medium