sigmahighHunting

HackTool - HandleKatz Duplicating LSASS Handle

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

MITRE ATT&CK

executiondefense-evasioncredential-access

Detection Query

selection:
  TargetImage|endswith: \lsass.exe
  GrantedAccess: "0x1440"
  CallTrace|startswith: C:\Windows\System32\ntdll.dll+
  CallTrace|contains: "|UNKNOWN("
  CallTrace|endswith: )
condition: selection

Author

Bhabesh Raj (rule), @thefLinkk

Created

2022-06-27

Data Sources

windowsProcess Access Events

Platforms

windows

References

https://github.com/codewhitesec/HandleKatz

Tags

attack.executionattack.t1106attack.defense-evasionattack.t1003.001attack.credential-access

Raw Content

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.execution
    - attack.t1106
    - attack.defense-evasion
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
        CallTrace|contains: '|UNKNOWN('
        CallTrace|endswith: ')'
    condition: selection
falsepositives:
    - Unknown
level: high