HackTool - HandleKatz Duplicating LSASS Handle

Apr 25, 2025 · attack.execution attack.t1106 attack.defense-evasion attack.t1003.001 attack.credential-access ·

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Sigma rule (View on GitHub)

 1title: HackTool - HandleKatz Duplicating LSASS Handle
 2id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
 3status: test
 4description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
 5references:
 6    - https://github.com/codewhitesec/HandleKatz
 7author: Bhabesh Raj (rule), @thefLinkk
 8date: 2022-06-27
 9modified: 2023-11-28
10tags:
11    - attack.execution
12    - attack.t1106
13    - attack.defense-evasion
14    - attack.t1003.001
15    - attack.credential-access
16logsource:
17    category: process_access
18    product: windows
19detection:
20    selection:
21        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
22        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
23        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
24        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
25        CallTrace|contains: '|UNKNOWN('
26        CallTrace|endswith: ')'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

GitHub - codewhitesec/HandleKatz: PIC lsass dumper using cloned handles

PIC lsass dumper using cloned handles. Contribute to codewhitesec/HandleKatz development by creating an account on GitHub.

Read More

HackTool - HandleKatz Duplicating LSASS Handle

Sigma rule (View on GitHub)

References

GitHub - codewhitesec/HandleKatz: PIC lsass dumper using cloned handles

Related rules