EXPLORE
Sign In
← Back to Explore
sigmahighHunting

PUA - Kernel Driver Utility (KDU) Execution

Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.

MITRE ATT&CK

T1543.003
persistenceprivilege-escalation

Detection Query

selection_img:
  - Image|endswith:
      - \kdu.exe
      - \hamakaze.exe
  - OriginalFileName: hamakaze.exe
selection_cli_suspicious:
  CommandLine|contains:
    - "-map "
    - "-prv "
    - "-dse "
    - "-ps "
condition: all of selection_*

Author

Matt Anderson, Dray Agha, Anna Pham (Huntress)

Created

2026-01-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.persistenceattack.privilege-escalationattack.t1543.003
Raw Content
title: PUA - Kernel Driver Utility (KDU) Execution
id: e76ca062-4de0-4d79-8d90-160a0d335eca
status: experimental
description: |
    Detects execution of the Kernel Driver Utility (KDU) tool.
    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
    Potentially allowing for privilege escalation, persistence, or evasion of security controls.
references:
    - https://github.com/h4rmy/KDU
    - https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\kdu.exe'
              - '\hamakaze.exe'
        - OriginalFileName: 'hamakaze.exe'
    selection_cli_suspicious:
        CommandLine|contains:
            - '-map ' # map driver to the kernel and execute it entry point
            - '-prv ' # optional, select vulnerability driver provider
            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
            - '-ps ' #  modify process object of given ProcessID;
    condition: all of selection_*
falsepositives:
    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml