Kernel Memory Dump via LiveKD

    Wednesday, February 12, 2025 In: Threat Research Print

    Date: 02/12/2025

    Severity: High

    Summary

    "Kernel Memory Dump via LiveKD" refers to the detection of LiveKD execution with the "-m" flag, which is used to potentially dump the kernel memory. This action may indicate an attempt to access sensitive system information or perform unauthorized analysis of the kernel memory.

    Indicators of Compromise (IOC) List

    Image

    '\livekd.exe'

    '\livekd64.exe'

    OriginalFileName

    'livekd.exe'

    CommandLine

    '-m'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename in ("Windows Security") AND eventtype = "4688") AND (newprocessname like "\livekd.exe" or newprocessname like "\livekd64.exe") AND processname = "livekd.exe" AND commandline like "-m")

    Detection Query 2

    ((technologygroup = "EDR") AND (newprocessname like "\livekd.exe" or newprocessname like "\livekd64.exe") AND processname = "livekd.exe" AND commandline like "-m")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.