← Back to SOC feed Coverage →

HackTool - HandleKatz LSASS Dumper Execution

sigma HIGH SigmaHQ
T1003.001
imProcessCreate
backdoorcredential-theft
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Detection Rule

Sigma (Original)

title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
    - https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\loader.exe'
        CommandLine|contains: '--pid:'
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
            - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
    selection_flags:
        CommandLine|contains|all:
            - '--pid:'
            - '--outfile:'
        CommandLine|contains:
            - '.dmp'
            - 'lsass'
            - '.obf'
            - 'dump'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\loader.exe" and TargetProcessCommandLine contains "--pid:") or (TargetProcessIMPHASH startswith "38D9E015591BBFD4929E0D0F47FA0055" or TargetProcessIMPHASH startswith "0E2216679CA6E1094D63322E3412D650") or ((TargetProcessCommandLine contains "--pid:" and TargetProcessCommandLine contains "--outfile:") and (TargetProcessCommandLine contains ".dmp" or TargetProcessCommandLine contains "lsass" or TargetProcessCommandLine contains ".obf" or TargetProcessCommandLine contains "dump"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml