sigmamediumHunting

Potential Memory Dumping Activity Via LiveKD

Detects execution of LiveKD based on PE metadata or image name

Detection Query

selection:
  - Image|endswith:
      - \livekd.exe
      - \livekd64.exe
  - OriginalFileName: livekd.exe
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-15

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

Tags

attack.defense-evasion

Raw Content

title: Potential Memory Dumping Activity Via LiveKD
id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
status: test
description: Detects execution of LiveKD based on PE metadata or image name
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\livekd.exe'
              - '\livekd64.exe'
        - OriginalFileName: 'livekd.exe'
    condition: selection
falsepositives:
    - Administration and debugging activity (must be investigated)
level: medium