Kernel Memory Dump Via LiveKD

 1title: Kernel Memory Dump Via LiveKD
 2id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
 3status: experimental
 4description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
 7    - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
 8    - https://kb.acronis.com/content/60892
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/05/16
11tags:
12    - attack.defense_evasion
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\livekd.exe'
20              - '\livekd64.exe'
21        - OriginalFileName: 'livekd.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - ' /m'
25            - ' -m'
26    condition: all of selection_*
27falsepositives:
28    - Unlikely in production environment
29level: high

References

• LiveKd - Sysinternals

  

  Use Microsoft kernel debuggers to examine a live system.

  
  Read More

• https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/

  
  Read More

• 
  Read More

Related rules

• Access To .Reg/.Hive Files By Uncommon Application
• Assembly Loading Via CL_LoadAssembly.ps1
• DMP/HDMP File Creation
• Disabled RestrictedAdminMode For RDS
• Impossible Travel