HackTool - HandleKatz LSASS Dumper Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the use of HandleKatz, a tool that utilizes cloned handles to the LSASS process to create obfuscated memory dumps for credential dumping purposes on Windows systems.
Severity
Trouble
Rule journey
Attack chain scenario
Credential Access (T1003.001) → Lateral Movement → Privilege Escalation → Full Compromise
Impact
Compromise of credentials through extraction from LSASS memory, enabling lateral movement, privilege escalation, and further system compromise.
Rule Requirement
Prerequisites
Using Windows Event Viewer (GPO method)
- Log in to a domain controller.
- Open Group Policy Management (gpmc.msc).
- Create or edit a GPO linked to the target OU.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking- Enable “Audit Process Creation” (Success)
- Enable “Audit Process Termination” (Success)
- Navigate to:
Computer Configuration → Administrative Templates → System → Audit Process Creation- Enable “Include command line in process creation events”
- Open Registry Editor and create the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download Sysmon from Microsoft Sysinternals.
- Run installation with configuration file that includes ProcessCreate monitoring.
- Open Registry Editor and create the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\loader.exe" AND COMMANDLINE contains "--pid:") OR HASHES contains "IMPHASH=38D9E015591BBFD4929E0D0F47FA0055,IMPHASH=0E2216679CA6E1094D63322E3412D650" OR ((COMMANDLINE contains "--pid:" AND COMMANDLINE contains "--outfile:") AND COMMANDLINE contains ".dmp,lsass,.obf,dump") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1003.001 – OS Credential Dumping: LSASS Memory
Security Standards
Implementation of endpoint behavior prevention, credential access protections like Credential Guard, OS hardening by disabling vulnerable authentication protocols, and privileged account management to reduce attack surface.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Unknown; detection is based on specific command-line parameters and process hashes indicative of HandleKatz activity.
Next Steps
- Investigate detected execution instances for legitimacy and context.
- Harden endpoint defenses by enabling Attack Surface Reduction (ASR) rules and Credential Guard.
- Enforce password complexity and privileged account restrictions.
- Monitor process creation logs continuously for suspicious LSASS access attempts.
- Conduct user and administrator training on credential security best practices.
Mitigation
Mitigation ID | Name | Description |
M1040 | Behavior Prevention on Endpoint | Enable Attack Surface Reduction (ASR) rules on Windows 10 to secure LSASS process and prevent credential dumping activities. |
M1043 | Credential Access Protection | Deploy and configure Windows Defender Credential Guard to protect LSA secrets; note hardware and firmware requirements apply. |
M1028 | Operating System Configuration | Disable or restrict NTLM and WDigest authentication to reduce exposure to credential dumping. |
M1027 | Password Policies | Enforce complex, unique passwords for local administrator accounts across the network. |
M1026 | Privileged Account Management | Restrict membership of domain user and admin accounts in local administrator groups to limit credential exposure risks. |
M1025 | Privileged Process Integrity | Enable Protected Process Light (PPL) for the LSASS process on supported Windows versions to protect it from unauthorized access. |
M1017 | User Training | Educate users and administrators on the importance of non-overlapping credentials to limit the damage caused by credential compromise. |
