Nasreddine Bencherchali
f61c1f4509
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution update: COM Object Execution via Xwizard.EXE - Update logic update: JScript Compiler Execution - Update metadata update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end. update: Renamed ZOHO Dctask64 Execution - Add additional imphash values update: Windows Kernel Debugger Execution - Reduce level to "medium" update: Xwizard.EXE Execution From Non-Default Location - Update description --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
24 lines
695 B
YAML
24 lines
695 B
YAML
title: Windows Kernel Debugger Execution
|
|
id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
|
|
status: test
|
|
description: Detects execution of the Windows Kernel Debugger "kd.exe".
|
|
references:
|
|
- Internal Research
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2023/05/15
|
|
modified: 2024/04/24
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
- Image|endswith: '\kd.exe'
|
|
- OriginalFileName: 'kd.exe'
|
|
condition: selection
|
|
falsepositives:
|
|
- Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
|
|
level: medium
|