Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Sigma rule (View on GitHub)
1title: Suspicious Kernel Dump Using Dtrace
2id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
3status: test
4description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
5references:
6 - https://twitter.com/0gtweet/status/1474899714290208777?s=12
7 - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
8author: Florian Roth (Nextron Systems)
9date: 2021-12-28
10tags:
11 - attack.discovery
12 - attack.t1082
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection_plain:
18 Image|endswith: '\dtrace.exe'
19 CommandLine|contains: 'lkd(0)'
20 selection_obfuscated:
21 CommandLine|contains|all:
22 - 'syscall:::return'
23 - 'lkd('
24 condition: 1 of selection*
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- Network Reconnaissance Activity