HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
Sigma rule (View on GitHub)
1title: HackTool - HandleKatz LSASS Dumper Execution
2id: ca621ba5-54ab-4035-9942-d378e6fcde3c
3status: test
4description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
5references:
6 - https://github.com/codewhitesec/HandleKatz
7author: Florian Roth (Nextron Systems)
8date: 2022/08/18
9modified: 2024/04/15
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_loader_img:
18 Image|endswith: '\loader.exe'
19 CommandLine|contains: '--pid:'
20 selection_loader_imphash:
21 - Imphash:
22 - '38d9e015591bbfd4929e0d0f47fa0055'
23 - '0e2216679ca6e1094d63322e3412d650'
24 - Hashes|contains:
25 - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
26 - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
27 selection_flags:
28 CommandLine|contains|all:
29 - '--pid:'
30 - '--outfile:'
31 CommandLine|contains:
32 - '.dmp'
33 - 'lsass'
34 - '.obf'
35 - 'dump'
36 condition: 1 of selection_*
37falsepositives:
38 - Unknown
39level: high
References
-
PIC lsass dumper using cloned handles. Contribute to codewhitesec/HandleKatz development by creating an account on GitHub.
Read More
Related rules
- Potential LSASS Process Dump Via Procdump
- CrackMapExec File Indicators
- Potential Credential Dumping Activity Via LSASS
- Password Dumper Remote Thread in LSASS
- HackTool - CrackMapExec Process Patterns