rule: kernel dump using dtrace

rules/windows/process_creation/process_creation_susp_dtrace_kernel_dump.yml

@@ -0,0 +1,24 @@
+title: Suspicious Kernel Dump Using Dtrace
+id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
+status: experimental
+description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
+author: Florian Roth
+date: 2021/12/28
+references:
+    - https://twitter.com/0gtweet/status/1474899714290208777?s=12
+    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_plain:
+        Image|endswith: '\dtrace.exe'
+        CommandLine|contains: 'lkd(0)'
+    selection_obfuscated:
+        CommandLine|contains|all:
+            - 'syscall:::return'
+            - 'lkd('
+    condition: 1 of selection*
+falsepositives:
+    - Unknown
+level: high