Detectionhightest

LiveKD Kernel Memory Dump File Created

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue May 16814ddeca-3d31-4265-8e07-8cc54fb44903windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename: 'C:\Windows\livekd.dmp'
    condition: selection

False Positives

In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0004 · Privilege Escalation

Rule Metadata

Rule ID

814ddeca-3d31-4265-8e07-8cc54fb44903

Status

test

Level

high

Type

Detection

Created

Tue May 16

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml

Raw Tags

attack.defense-evasionattack.privilege-escalation

View on GitHub