HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
Sigma rule (View on GitHub)
1title: HackTool - HandleKatz LSASS Dumper Execution
2id: ca621ba5-54ab-4035-9942-d378e6fcde3c
3status: test
4description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
5references:
6 - https://github.com/codewhitesec/HandleKatz
7author: Florian Roth (Nextron Systems)
8date: 2022-08-18
9modified: 2024-11-23
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_loader_img:
18 Image|endswith: '\loader.exe'
19 CommandLine|contains: '--pid:'
20 selection_loader_imphash:
21 Hashes|contains:
22 - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
23 - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
24 selection_flags:
25 CommandLine|contains|all:
26 - '--pid:'
27 - '--outfile:'
28 CommandLine|contains:
29 - '.dmp'
30 - 'lsass'
31 - '.obf'
32 - 'dump'
33 condition: 1 of selection_*
34falsepositives:
35 - Unknown
36level: high
References
-
PIC lsass dumper using cloned handles. Contribute to codewhitesec/HandleKatz development by creating an account on GitHub.
Read More
Related rules
- HackTool - CreateMiniDump Execution
- HackTool - Windows Credential Editor (WCE) Execution
- Antivirus Password Dumper Detection
- Potentially Suspicious AccessMask Requested From LSASS
- LSASS Process Memory Dump Files