HackTool - HandleKatz LSASS Dumper Execution

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Sigma rule (View on GitHub)

 1title: HackTool - HandleKatz LSASS Dumper Execution
 2id: ca621ba5-54ab-4035-9942-d378e6fcde3c
 3status: test
 4description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
 5references:
 6    - https://github.com/codewhitesec/HandleKatz
 7author: Florian Roth (Nextron Systems)
 8date: 2022/08/18
 9modified: 2023/02/04
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_loader_img:
18        Image|endswith: '\loader.exe'
19        CommandLine|contains: '--pid:'
20    selection_loader_imphash:
21        - Imphash:
22              - '38d9e015591bbfd4929e0d0f47fa0055'
23              - '0e2216679ca6e1094d63322e3412d650'
24        - Hashes:
25              - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
26              - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
27    selection_flags:
28        CommandLine|contains|all:
29            - '--pid:'
30            - '--outfile:'
31        CommandLine|contains:
32            - '.dmp'
33            - 'lsass'
34            - '.obf'
35            - 'dump'
36    condition: 1 of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top