HackTool - HandleKatz Duplicating LSASS Handle
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
Sigma rule (View on GitHub)
1title: HackTool - HandleKatz Duplicating LSASS Handle
2id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
3status: test
4description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
5references:
6 - https://github.com/codewhitesec/HandleKatz
7author: Bhabesh Raj (rule), @thefLinkk
8date: 2022/06/27
9modified: 2023/11/28
10tags:
11 - attack.execution
12 - attack.t1106
13 - attack.defense_evasion
14 - attack.t1003.001
15logsource:
16 category: process_access
17 product: windows
18detection:
19 selection:
20 TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
21 GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
22 # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
23 CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
24 CallTrace|contains: '|UNKNOWN('
25 CallTrace|endswith: ')'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
PIC lsass dumper using cloned handles. Contribute to codewhitesec/HandleKatz development by creating an account on GitHub.
Read More
Related rules
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - RedMimicry Winnti Playbook Execution
- CMSTP Execution Process Access
- Remote LSASS Process Access Through Windows Remote Management
- Enable BPF Kprobes Tracing