Sigma
Sigma rules for CVE-2016-0957
59 rules · scoped to cve · back to CVE-2016-0957
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
9 of 59
direct
high
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
view Sigma YAML
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
- https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
- https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
selection_cli:
CommandLine|contains|windash: ' -m'
condition: all of selection_*
falsepositives:
- Unlikely in production environment
level: high
direct
high
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
view Sigma YAML
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
direct
high
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
Potentially allowing for privilege escalation, persistence, or evasion of security controls.
view Sigma YAML
title: PUA - Kernel Driver Utility (KDU) Execution
id: e76ca062-4de0-4d79-8d90-160a0d335eca
status: experimental
description: |
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
Potentially allowing for privilege escalation, persistence, or evasion of security controls.
references:
- https://github.com/h4rmy/KDU
- https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\kdu.exe'
- '\hamakaze.exe'
- OriginalFileName: 'hamakaze.exe'
selection_cli_suspicious:
CommandLine|contains:
- '-map ' # map driver to the kernel and execute it entry point
- '-prv ' # optional, select vulnerability driver provider
- '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
- '-ps ' # modify process object of given ProcessID;
condition: all of selection_*
falsepositives:
- Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml
direct
high
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
view Sigma YAML
title: CodeIntegrity - Revoked Kernel Driver Loaded
id: 320fccbf-5e32-4101-82b8-2679c5f007c6
status: test
description: Detects the load of a revoked kernel driver
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
- 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
condition: selection
falsepositives:
- Unlikely
level: high
direct
high
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
view Sigma YAML
title: CodeIntegrity - Unsigned Kernel Module Loaded
id: 951f8d29-f2f6-48a7-859f-0673ff105e6f
status: test
description: Detects the presence of a loaded unsigned kernel module on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available
condition: selection
falsepositives:
- Unlikely
level: high
direct
high
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
view Sigma YAML
title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
status: test
description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
modified: 2023-06-14
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
filter_optional_vmware:
FileNameBuffer:
- 'system32\drivers\vsock.sys'
- 'System32\drivers\vmci.sys'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
direct
medium
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
view Sigma YAML
title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
id: eca5e022-d368-4043-98e5-9736fb01f72f
status: experimental
description: |
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
references:
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://man7.org/linux/man-pages/man1/dmesg.1.html
author: Milad Cheraghi
date: 2025-05-27
modified: 2025-12-05
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'syslog'
a0:
- 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
- 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
- 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
condition: selection
falsepositives:
- System administrators or scripts that intentionally clear logs
- Debugging scripts
level: medium
direct
medium
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
view Sigma YAML
title: Windows Kernel Debugger Execution
id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
status: test
description: Detects execution of the Windows Kernel Debugger "kd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-04-24
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\kd.exe'
- OriginalFileName: 'kd.exe'
condition: selection
falsepositives:
- Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
level: medium
direct
medium
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
view Sigma YAML
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains|all:
- 'binPath'
- 'type'
- 'kernel'
filter_optional_avira_driver:
- CommandLine|contains|all:
- 'create netprotection_network_filter'
- 'type= kernel start= '
- 'binPath= System32\drivers\netprotection_network_filter'
- 'DisplayName= netprotection_network_filter'
- 'group= PNP_TDI tag= yes'
- CommandLine|contains|all:
- 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
- 'type=kernel start=boot error=critical group=Early-Launch'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Rare legitimate installation of kernel drivers via sc.exe
level: medium
Showing 51-59 of 59