legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)

t1543
t1543.003
windows
sigma

Techniques

t1543
t1543.003

Sample rules

PUA - Kernel Driver Utility (KDU) Execution

source: sigma
technicques:
- t1543
- t1543.003

Description

Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.

Detection logic

condition: all of selection_*
selection_cli_suspicious:
  CommandLine|contains:
  - '-map '
  - '-prv '
  - '-dse '
  - '-ps '
selection_img:
- Image|endswith:
  - \kdu.exe
  - \hamakaze.exe
- OriginalFileName: hamakaze.exe