Potential AMSI Bypass Attempt Using CDB Debugger

Rule Info

Name
Potential AMSI Bypass Attempt Using CDB Debugger
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential AMSI bypass attempts using CDB debugger to manipulate AmsiScanBuffer function. It's not a common behavior to use CDB debugger with "-cf" flag and "powershell" command line.
Reference
https://shells.systems/one-tool-to-rule-them-all/
Date
2025-06-10 00:00:00
Modified
None
Id
81d7f3d7-0b83-48ce-b9e9-4a0f72829580
Tags
attack.defense-evasion attack.t1562.001 attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022