LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Sigma rule (View on GitHub)
1title: LiveKD Kernel Memory Dump File Created
2id: 814ddeca-3d31-4265-8e07-8cc54fb44903
3status: test
4description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-16
9tags:
10 - attack.defense-evasion
11 - attack.privilege-escalation
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename: 'C:\Windows\livekd.dmp'
18 condition: selection
19falsepositives:
20 - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
21level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address