LiveKD Kernel Memory Dump File Created

Hunt Hypothesis

Adversaries may create a kernel memory dump file with the same name as the default LiveKD dump to exfiltrate or manipulate memory data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential kernel-level persistence or data extraction activities.

Detection Rule

Sigma (Original)

title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\livekd.dmp'
    condition: selection
falsepositives:
    - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high

KQL (Azure Sentinel)

imFileEvent
| where TargetFileName =~ "C:\\Windows\\livekd.dmp"

False Positive Guidance

• Scenario: A system administrator uses LiveKD to generate a kernel memory dump for debugging purposes.
  Filter/Exclusion: Exclude files created by processes with the executable path containing livekd.exe or livekd64.exe.

• Scenario: A scheduled job runs Windows Memory Diagnostic or Windows Performance Analyzer (WPA), which may create a dump file with the same name.
  Filter/Exclusion: Exclude files created by processes with the executable path containing wpa.exe, perfmon.exe, or msdt.exe.

• Scenario: A third-party security tool or endpoint protection software creates a dump file as part of its diagnostic or troubleshooting process.
  Filter/Exclusion: Exclude files created by processes with the executable path containing mcafee, kaspersky, bitdefender, or similar vendor names.

• Scenario: A developer or support engineer uses ProcDump (from Sysinternals) to generate a memory dump for application troubleshooting.
  Filter/Exclusion: Exclude files created by processes with the executable path containing procdump.exe or ProcDump.exe.

• Scenario: A system update or patching process triggers a kernel dump due to a crash or unexpected behavior during deployment.
  Filter/Exclusion: Exclude files created by processes with the executable path containing setup.exe, wusa.exe, or dism.exe.

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Tactic: Privilege Escalation