This detection rule identifies suspicious kernel dump activity on Windows systems involving the dtrace.exe utility, which has been available since Windows 10 version 19H1. The rule focuses on instances where dtrace.exe is executed with command-line arguments indicative of attempts to invoke kernel routines or to manipulate kernel data, particularly looking for the presence of 'lkd(0)' in the command line. Additionally, searching for command lines containing 'syscall:::return' further helps to pinpoint potentially malicious behavior indicative of system exploitation or reconnaissance. The detection method includes multiple criteria (both plain and obfuscated selections) to enhance the likelihood of identifying genuine threats while reducing false positives.