The LiveKD Driver Creation rule detects the potential deployment of a LiveKD driver, which can enable live kernel debugging and provide adversaries with deep system access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage kernel-level debugging for persistence and evasion.
Detection Rule
title: LiveKD Driver Creation
id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
status: test
description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.defense-evasion
- attack.privilege-escalation
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection
falsepositives:
- Legitimate usage of LiveKD for debugging purposes will also trigger this
level: medium
imFileEvent
| where TargetFileName =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (TargetFilePath endswith "\\livekd.exe" or TargetFilePath endswith "\\livek64.exe")Scenario: LiveKD Driver Installation via System Update or Patch
Description: A legitimate system update or patch may include the LiveKD driver as part of a debugging or diagnostic toolset.
Filter/Exclusion: Check the EventID or ProcessName to exclude known update or patch installation processes (e.g., wusa.exe, setup.exe).
Scenario: LiveKD Driver Created by an Admin for Debugging Purposes
Description: A system administrator may manually install the LiveKD driver to debug kernel-level issues.
Filter/Exclusion: Use a filter on User field to exclude known admin accounts or add a ProcessName filter for tools like devcon.exe or pnputil.exe.
Scenario: Scheduled Job Installs LiveKD Driver for Diagnostic Use
Description: A scheduled task may be configured to install the LiveKD driver during routine diagnostics or maintenance.
Filter/Exclusion: Filter by EventID or TaskName to exclude known diagnostic or maintenance tasks (e.g., TaskScheduler or Windows Diagnostic Data).
Scenario: LiveKD Driver Created by a Third-Party Tool for Debugging
Description: Some third-party diagnostic or performance monitoring tools may include LiveKD as part of their debugging capabilities.
Filter/Exclusion: Use ProcessName to exclude known third-party tools (e.g., Procmon.exe, Wireshark, or DebugView).
Scenario: LiveKD Driver Created During a Kernel Mode Driver Development Test
Description: Developers may create the LiveKD driver as part of kernel-mode driver testing or development.
Filter/Exclusion: Filter by User to exclude development accounts or use a ProcessName filter for development tools like Visual Studio or `Driver Verifier