Techniques
Sample rules
Kernel Memory Dump Via LiveKD
- source: sigma
- technicques:
Description
Detects execution of LiveKD with the “-m” flag to potentially dump the kernel memory
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' -m'
selection_img:
- Image|endswith:
- \livekd.exe
- \livekd64.exe
- OriginalFileName: livekd.exe