Detection rules › Sigma
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\hamakaze.exe'
Image|endswith: '\kdu.exe'
OriginalFileName: hamakaze.exe
Stage 2: all of selection_cli_suspicious
or:
CommandLine|contains: '-dse '
CommandLine|contains: '-map '
CommandLine|contains: '-prv '
CommandLine|contains: '-ps '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|