HackTool - Doppelanger LSASS Dumper Execution

Rule Info

Name
HackTool - Doppelanger LSASS Dumper Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
Reference
https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
Date
2025-07-01 00:00:00
Modified
None
Id
d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
Tags
attack.credential-access attack.t1003.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d474c8fe-bb69-4ea0-b7d9-f682b56d52d3

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5509 from @swachchhanda000 - Doppelganger Cloning and Dumping LSASS
2025-07-03
2845e845e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022