LoFP / administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter

Techniques

Sample rules

LiveKD Driver Creation By Uncommon Process

• source: sigma
• technicques:

Description

Detects the creation of the LiveKD driver by a process image other than “livekd.exe”.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_name:
  Image|endswith:
  - \livekd.exe
  - \livek64.exe
selection:
  TargetFilename: C:\Windows\System32\drivers\LiveKdD.SYS