LoFP / rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required

Techniques

Sample rules

Windows Kernel Debugger Execution

• source: sigma
• technicques:

Description

Detects execution of the Windows Kernel Debugger “kd.exe”.

Detection logic

condition: selection
selection:
- Image|endswith: \kd.exe
- OriginalFileName: kd.exe