heroui logo

Execution via Windows Command Debugging Utility

Elastic Detection Rules

View Source
Summary
This detection rule focuses on monitoring the execution of the Windows command line debugging utility, cdb.exe, specifically when it is used outside of standard installation paths. The rule is essential as adversaries can exploit cdb.exe for executing unauthorized commands or shellcode, particularly in scenarios involving defense evasion. It employs an EQL (Event Query Language) query to identify instances of cdb.exe being executed with specific command-line arguments ('-cf', '-c', '-pd') while being mindful of its location. The detection is achieved by analyzing logs from various sources, including endpoint events and security monitoring data. A low risk score of 47 signals a moderate level of concern, suggesting that while this behavior can be legitimate, it may also indicate malicious intent if cdb.exe is launched unexpectedly. Respondents are guided through investigation and response protocols to manage potential threats effectively, including reviewing the process creation details, investigating parent processes, and analyzing command-line arguments for legitimacy. Additional notes on false positives and response strategies provide critical context for effective triage.
Categories
  • Endpoint
  • Windows
  • Cloud
Data Sources
  • Process
  • Application Log
  • Windows Registry
  • Network Traffic
  • Container
ATT&CK Techniques
  • T1218
Created: 2024-07-24