PUA - Kernel Driver Utility (KDU) Execution

Rule Info

Name
PUA - Kernel Driver Utility (KDU) Execution
Author
Matt Anderson, Dray Agha, Anna Pham (Huntress)
Description
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
Reference
https://github.com/h4rmy/KDU
Date
2026-01-02 00:00:00
Modified
None
Id
e76ca062-4de0-4d79-8d90-160a0d335eca
Tags
attack.persistence attack.privilege-escalation attack.t1543.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e76ca062-4de0-4d79-8d90-160a0d335eca

Rule History

Author
Title
Date
Commit
Matt Anderson
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
2026-01-24
30aebbb65
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022