LoFP / in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.

Techniques

Sample rules

LiveKD Kernel Memory Dump File Created

• source: sigma
• technicques:

Description

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Detection logic

condition: selection
selection:
  TargetFilename: C:\Windows\livekd.dmp