LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
Sigma rule (View on GitHub)
1title: LiveKD Kernel Memory Dump File Created
2id: 814ddeca-3d31-4265-8e07-8cc54fb44903
3status: test
4description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/16
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename: 'C:\Windows\livekd.dmp'
18 condition: selection
19falsepositives:
20 - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
21level: high
References
Related rules
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- PUA - System Informer Execution
- Potential Chrome Frame Helper DLL Sideloading
- Potential Goopdate.DLL Sideloading