From e0f8506c1b8e770fa23653a27b1891ef2d6944a5 Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Mon, 27 Jun 2022 17:25:21 +0545
Subject: [PATCH 1/2] Rule for HandleKatz

---
 ...roc_access_win_handlekatz_lsass_access.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml

diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
new file mode 100644
index 000000000..3c496416f
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
@@ -0,0 +1,30 @@
+title: HandleKatz Duplicating LSASS Handle
+id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
+description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
+references:
+    - https://github.com/codewhitesec/HandleKatz
+status: experimental
+author: Bhabesh Raj (rule), @thefLinkk
+date: 2022/06/27
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
+        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
+        CallTrace|contains: '|UNKNOWN('
+    filter:
+        CallTrace|contains:
+          - '\KERNEL32.DLL+'
+          - '\KERNELBASE.DLL+'
+          - '\WOW64.DLL+'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.execution
+    - attack.t1106
+    - attack.defense_evasion
+    - attack.t1003.001

From 1f7e37d2a083209888d13dfd2987b72aff39b09f Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Tue, 28 Jun 2022 10:56:18 +0545
Subject: [PATCH 2/2] Fixed CallTrace

---
 .../proc_access_win_handlekatz_lsass_access.yml       | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
index 3c496416f..181ec14a3 100644
--- a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
@@ -13,13 +13,12 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
         GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
+    
+    call_trace:  # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' 
         CallTrace|contains: '|UNKNOWN('
-    filter:
-        CallTrace|contains:
-          - '\KERNEL32.DLL+'
-          - '\KERNELBASE.DLL+'
-          - '\WOW64.DLL+'
-    condition: selection and not filter
+        CallTrace|endswith: ')'
+    condition: selection and call_trace
 falsepositives:
     - Unknown
 level: high