Execution via Windows Command Debugging Utility
editExecution via Windows Command Debugging Utility
editAn adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
- logs-windows.sysmon_operational-*
- endgame-*
- logs-sentinel_one_cloud_funnel.*
- logs-m365_defender.event-*
- logs-system.security-*
- logs-crowdstrike.fdr*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
- Data Source: Sysmon
- Data Source: SentinelOne
- Data Source: Microsoft Defender for Endpoint
- Data Source: Crowdstrike
Version: 102
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "windows" and event.type == "start" and (?process.pe.original_file_name == "CDB.Exe" or process.name : "cdb.exe") and process.args : ("-cf", "-c", "-pd") and not process.executable : ( "?:\\Program Files (x86)\\*\\cdb.exe", "?:\\Program Files\\*\\cdb.exe", "\\Device\\HarddiskVolume?\\Program Files (x86)\\*\\cdb.exe", "\\Device\\HarddiskVolume?\\Program Files\\*\\cdb.exe" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/