Merge pull request #3163 from d4rk-d4nph3/master

Rule for HandleKatz

rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml

@@ -0,0 +1,29 @@
+title: HandleKatz Duplicating LSASS Handle
+id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
+description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
+references:
+    - https://github.com/codewhitesec/HandleKatz
+status: experimental
+author: Bhabesh Raj (rule), @thefLinkk
+date: 2022/06/27
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
+        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
+    
+    call_trace:  # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' 
+        CallTrace|contains: '|UNKNOWN('
+        CallTrace|endswith: ')'
+    condition: selection and call_trace
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.execution
+    - attack.t1106
+    - attack.defense_evasion
+    - attack.t1003.001