The LiveKD driver is being created by an uncommon process, indicating potential adversarial activity that could enable persistence or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
Detection Rule
title: LiveKD Driver Creation By Uncommon Process
id: 059c5af9-5131-4d8d-92b2-de4ad6146712
related:
- id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
type: similar
status: test
description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.defense-evasion
- attack.privilege-escalation
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
filter_main_legit_name:
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
level: high
imFileEvent
| where TargetFileName =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((TargetFilePath endswith "\\livekd.exe" or TargetFilePath endswith "\\livek64.exe")))Scenario: A system administrator uses Process Explorer (Sysinternals tool) to manually load the LiveKD driver for diagnostic purposes.
Filter/Exclusion: Check for processes associated with procexp.exe or Process Explorer in the process image field.
Scenario: A Windows Update or System File Checker (SFC) task runs in the background and inadvertently triggers the LiveKD driver creation.
Filter/Exclusion: Exclude processes with names like svchost.exe (specific SFC or update-related instances) or wuauserv.exe.
Scenario: A scheduled task configured via Task Scheduler (e.g., TaskScheduler or taskschd.exe) is used to run a legitimate diagnostic script that loads the LiveKD driver.
Filter/Exclusion: Filter out processes with taskschd.exe or check for known scheduled task process names.
Scenario: A remote management tool such as Microsoft Endpoint Manager (MEM) or Microsoft Intune deploys a script or configuration that includes LiveKD driver loading.
Filter/Exclusion: Exclude processes related to microsoftendpointmanager.exe, intunewsm.exe, or other known management tool binaries.
Scenario: A third-party security tool or endpoint protection software (e.g., Microsoft Defender, CrowdStrike, or Kaspersky) may use LiveKD for internal diagnostics or analysis.
Filter/Exclusion: Exclude processes associated with known security tool binaries (e.g., MsMpEng.exe, falcon.exe, or kavsvc.exe).