This detection rule identifies the execution of LiveKD, a tool used for kernel debugging, specifically when it is invoked with the "-m" flag which is utilized for dumping the kernel memory. The rule monitors the process creation events on Windows systems, focusing on instances where either the executable name ends with 'livekd.exe' or 'livekd64.exe', or where the command line specifically includes the '-m' argument. The detection is structured to trigger when both the executable selection and the command line condition are met, indicating a potential threat as kernel memory dumps can be indicative of the exploitation of security mechanisms. Given the sensitivity of kernel memory, its unauthorized usage is flagged as a significant risk. Users are warned to be cautious as LiveKD with the '-m' flag is primarily associated with defense evasion tactics, typically employed by attackers to extract critical information from the system's memory. As the rule is in an experimental phase, it is vital to gather more data to mitigate false positives, especially since such actions are unlikely in controlled production environments.