LoFP / legitimate usage of livekd for debugging purposes will also trigger this

Techniques

Sample rules

LiveKD Driver Creation

• source: sigma
• technicques:

Description

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Detection logic

condition: selection
selection:
  Image|endswith:
  - \livekd.exe
  - \livek64.exe
  TargetFilename: C:\Windows\System32\drivers\LiveKdD.SYS