LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
Sigma rule (View on GitHub)
1title: LiveKD Driver Creation By Uncommon Process
2id: 059c5af9-5131-4d8d-92b2-de4ad6146712
3related:
4 - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
5 type: similar
6status: test
7description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-05-16
12tags:
13 - attack.defense-evasion
14 - attack.privilege-escalation
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
21 filter_main_legit_name:
22 Image|endswith:
23 - '\livekd.exe'
24 - '\livek64.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
28level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address