security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_cdb.yml
T
Nasreddine Bencherchali 12d187bc91 Update Ref+Selection 2
2022-07-11 17:48:40 +01:00

33 lines
1.0 KiB
YAML
Raw Blame History

title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Launch 64-bit shellcode from a debugger script file using cdb.exe.
author: Beyu Denis, oscd.community, Nasreddine Bencherchali
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
date: 2019/10/26
modified: 2022/06/09
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium
tags:
- attack.execution
- attack.t1106
- attack.defense_evasion
- attack.t1218
- attack.t1127
Reference in New Issue View Git Blame Copy Permalink