← Back to SOC feed Coverage →

Suspicious Kernel Dump Using Dtrace

sigma HIGH SigmaHQ
T1082
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Detection Rule

Sigma (Original)

title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
    - https://twitter.com/0gtweet/status/1474899714290208777?s=12
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: windows
    category: process_creation
detection:
    selection_plain:
        Image|endswith: '\dtrace.exe'
        CommandLine|contains: 'lkd(0)'
    selection_obfuscated:
        CommandLine|contains|all:
            - 'syscall:::return'
            - 'lkd('
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\dtrace.exe" and TargetProcessCommandLine contains "lkd(0)") or (TargetProcessCommandLine contains "syscall:::return" and TargetProcessCommandLine contains "lkd(")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml