← Back to Explore
sigmamediumHunting
Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
Detection Query
selection_img:
- Image|endswith: \cdb.exe
- OriginalFileName: CDB.Exe
selection_cli:
CommandLine|contains:
- " -c "
- " -cf "
condition: all of selection*
Author
Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Created
2019-10-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1106attack.defense-evasionattack.t1218attack.t1127
Raw Content
title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
- attack.execution
- attack.t1106
- attack.defense-evasion
- attack.t1218
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium