← Back to Explore
sigmahighHunting
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
Detection Query
selection:
- Image|endswith: \Doppelganger.exe
- Hashes|contains:
- IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB
- IMPHASH=65F0EA61156EE0C2A35421926F0C7F78
condition: selection
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-07-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.credential-accessattack.t1003.001
Raw Content
title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Doppelganger.exe'
- Hashes|contains:
- 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
- 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
condition: selection
falsepositives:
- Unknown
level: high