Detectionmediumtest

Windows Kernel Debugger Execution

Detects execution of the Windows Kernel Debugger "kd.exe".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon May 15Updated Wed Apr 2427ee9438-90dc-4bef-904b-d3ef927f5e7ewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\kd.exe'
        - OriginalFileName: 'kd.exe'
    condition: selection

False Positives

Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

Rule Metadata

Rule ID

27ee9438-90dc-4bef-904b-d3ef927f5e7e

Status

test

Level

medium

Type

Detection

Created

Mon May 15

Modified

Wed Apr 24

Author

Path

rules/windows/process_creation/proc_creation_win_kd_execution.yml

Raw Tags

attack.defense-evasionattack.privilege-escalation