Potential Memory Dumping Activity Via LiveKD

calendar Apr 1, 2024 · attack.defense_evasion  ·
Share on: linkedin copy

Detects execution of LiveKD based on PE metadata or image name

Sigma rule (View on GitHub)

 1title: Potential Memory Dumping Activity Via LiveKD
 2id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
 3status: test
 4description: Detects execution of LiveKD based on PE metadata or image name
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/15
 9tags:
10    - attack.defense_evasion
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        - Image|endswith:
17              - '\livekd.exe'
18              - '\livekd64.exe'
19        - OriginalFileName: 'livekd.exe'
20    condition: selection
21falsepositives:
22    - Administration and debugging activity (must be investigated)
23level: medium

References

Related rules

to-top