Kernel Memory Dump Via LiveKD

calendar Mar 15, 2024 · attack.defense_evasion  ·
Share on: linkedin copy

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Sigma rule (View on GitHub)

 1title: Kernel Memory Dump Via LiveKD
 2id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
 3status: experimental
 4description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
 7    - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
 8    - https://kb.acronis.com/content/60892
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/05/16
11modified: 2024/03/13
12tags:
13    - attack.defense_evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith:
20              - '\livekd.exe'
21              - '\livekd64.exe'
22        - OriginalFileName: 'livekd.exe'
23    selection_cli:
24        CommandLine|contains|windash: ' -m'
25    condition: all of selection_*
26falsepositives:
27    - Unlikely in production environment
28level: high

References

  • LiveKd - Sysinternals

    Use Microsoft kernel debuggers to examine a live system.


    Read More

  • Creating a complete memory dump without a Blue Screen

    When an error is escalated, one of the most common requests is to get a full memory dump of the computer. This can be achieved easily by blue-screening the computer; however, that is not always possible. Sometimes you also don't have a big enough pagefile or a dedicated dump file configured. Let me show you how to do this without booting the computer and without tweaking the pagefile.


    Read More


  • Read More

Related rules

to-top