LiveKD Driver Creation

calendar Apr 1, 2024 · attack.defense_evasion attack.privilege_escalation  ·
Share on: linkedin copy

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Sigma rule (View on GitHub)

 1title: LiveKD Driver Creation
 2id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
 3status: test
 4description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/16
 9tags:
10    - attack.defense_evasion
11    - attack.privilege_escalation
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
18        Image|endswith:
19            - '\livekd.exe'
20            - '\livek64.exe'
21    condition: selection
22falsepositives:
23    - Legitimate usage of LiveKD for debugging purposes will also trigger this
24level: medium

References

Related rules

to-top