Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Sigma rule (View on GitHub)
1title: Suspicious Kernel Dump Using Dtrace
2id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
3status: test
4description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
5references:
6 - https://twitter.com/0gtweet/status/1474899714290208777?s=12
7 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
8author: Florian Roth (Nextron Systems)
9date: 2021-12-28
10tags:
11 - attack.discovery
12 - attack.t1082
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection_plain:
18 Image|endswith: '\dtrace.exe'
19 CommandLine|contains: 'lkd(0)'
20 selection_obfuscated:
21 CommandLine|contains|all:
22 - 'syscall:::return'
23 - 'lkd('
24 condition: 1 of selection*
25falsepositives:
26 - Unknown
27level: high
28regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- System Information Discovery via Registry Queries
- Potential Container Discovery Via Inodes Listing
- Bitbucket User Details Export Attempt Detected
- Bitbucket User Permissions Export Attempt
- Potential Suspicious Activity Using SeCEdit