Florian Roth
40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
title: HandleKatz LSASS Dumper Usage
|
|
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
|
|
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
|
|
references:
|
|
- https://github.com/codewhitesec/HandleKatz
|
|
status: experimental
|
|
author: Florian Roth
|
|
date: 2022/08/18
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_loader:
|
|
Image|endswith: '\loader.exe'
|
|
CommandLine|contains: '--pid:'
|
|
selection_loader_imphash:
|
|
- Imphash:
|
|
- '38d9e015591bbfd4929e0d0f47fa0055'
|
|
- '0e2216679ca6e1094d63322e3412d650'
|
|
- Hashes:
|
|
- 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
|
|
- 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
|
|
selection_flags_1:
|
|
CommandLine|contains|all:
|
|
- '--pid:'
|
|
- '--outfile:'
|
|
selection_flags_2:
|
|
CommandLine|contains:
|
|
- '.dmp'
|
|
- 'lsass'
|
|
- '.obf'
|
|
- 'dump'
|
|
condition: 1 of selection_loader_* or all of selection_flags*
|
|
falsepositives:
|
|
- Unknown
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003.001
|
|
level: high
|