
Summary
This rule is designed to detect the creation of a file named 'livekd.dmp' in the C:\Windows\ directory, which is associated with the LiveKD tool used for kernel debugging. The presence of this file can indicate unauthorized access or misuse of kernel debugging tools, potentially facilitating privilege escalation or evasion tactics by malicious actors. The detection mechanism works by monitoring file events and specifically targeting the creation of this file, denoted by the 'TargetFilename' condition. Given its implications for security, the rule is classified as high severity. Administrators should be aware that legitimate use of LiveKD may occur, though it should be tightly controlled within production environments. In such cases, further investigation and filtering may be warranted to reduce false positives.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- File
- Process
Created: 2023-05-16