Detectionhighexperimental

HackTool - Doppelanger LSASS Dumper Execution

Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Jul 01d474c8fe-bb69-4ea0-b7d9-f682b56d52d3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\Doppelganger.exe'
        - Hashes|contains:
              - 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
              - 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Rule Metadata

Rule ID

d474c8fe-bb69-4ea0-b7d9-f682b56d52d3

Status

experimental

Level

high

Type

Detection

Created

Tue Jul 01

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_hktl_doppelganger.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub