LoFP / administration and debugging activity (must be investigated)

Techniques

Sample rules

Potential Memory Dumping Activity Via LiveKD

• source: sigma
• technicques:

Description

Detects execution of LiveKD based on PE metadata or image name

Detection logic

condition: selection
selection:
- Image|endswith:
  - \livekd.exe
  - \livekd64.exe
- OriginalFileName: livekd.exe