LoFP / approved installs of windows sdk with debugging tools for windows (windbg).

Techniques

• t1127

Sample rules

Use of Remote.exe

• source: sigma
• technicques:
  • t1127

Description

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Detection logic

condition: selection
selection:
- Image|endswith: \remote.exe
- OriginalFileName: remote.exe