HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
Sigma rule (View on GitHub)
1title: HackTool - Doppelanger LSASS Dumper Execution
2id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
3status: experimental
4description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
5references:
6 - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
7 - https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
8author: Swachchhanda Shrawan Poudel (Nextron Systems)
9date: 2025-07-01
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\Doppelganger.exe'
19 - Hashes|contains:
20 - 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
21 - 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Github Repo: https://github.com/vari-sh/RedTeamGrimoire/tree/main/Doppelganger What is LSASS? The Local Security Authority Subsystem Service (LSASS) is a core component of the Windows operating system, responsible for enforcing the security policy on the system. LSASS is a process that runs as lsass.exe and plays a fundamental role in: User authentication: It verifies users…
Read More -
🔥📜 Forbidden collection of Red Team sorcery 📜🔥. Contribute to vari-sh/RedTeamGrimoire development by creating an account on GitHub.
Read More
Related rules
- HackTool - Impacket File Indicators
- HackTool - CrackMapExec File Indicators
- CreateDump Process Dump
- DumpMinitool Execution
- HackTool - HandleKatz Duplicating LSASS Handle