Detectionhighexperimental
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Matt Anderson, Dray Agha, Anna Pham (Huntress)Created Fri Jan 02e76ca062-4de0-4d79-8d90-160a0d335ecawindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith:
- '\kdu.exe'
- '\hamakaze.exe'
- OriginalFileName: 'hamakaze.exe'
selection_cli_suspicious:
CommandLine|contains:
- '-map ' # map driver to the kernel and execute it entry point
- '-prv ' # optional, select vulnerability driver provider
- '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
- '-ps ' # modify process object of given ProcessID;
condition: all of selection_*False Positives
Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
e76ca062-4de0-4d79-8d90-160a0d335eca
Status
experimental
Level
high
Type
Detection
Created
Fri Jan 02
Path
rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1543.003