Suspicious Kernel Dump Using Dtrace

Aug 28, 2023 · attack.discovery attack.t1082 ·

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Sigma rule (View on GitHub)

 1title: Suspicious Kernel Dump Using Dtrace
 2id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
 3status: test
 4description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
 5references:
 6    - https://twitter.com/0gtweet/status/1474899714290208777?s=12
 7    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
 8author: Florian Roth (Nextron Systems)
 9date: 2021/12/28
10tags:
11    - attack.discovery
12    - attack.t1082
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_plain:
18        Image|endswith: '\dtrace.exe'
19        CommandLine|contains: 'lkd(0)'
20    selection_obfuscated:
21        CommandLine|contains|all:
22            - 'syscall:::return'
23            - 'lkd('
24    condition: 1 of selection*
25falsepositives:
26    - Unknown
27level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
DTrace on Windows - Windows drivers

DTrace is a command-line tool tool to display system information and events.

Read More

Suspicious Kernel Dump Using Dtrace

Sigma rule (View on GitHub)

References

DTrace on Windows - Windows drivers

Related rules