Is this Expected Behaviour? handledup uses lsass process to get handle about pypykatz HOT 2 CLOSED

Hello,

This is expected behavior, I will expand the wiki about it probably with the text below:

The handledup method will search for all open process handles in all processes and tests if the given handle is a process handle to LSASS. If it is then it will try to use that handle and if it succeeds then hurray, if not then it will continue with the next available handle.
The handle searching does not know upfront which process has which handles, it simply requests ALL possible handles via windows API call, therefore some "bruteforcing" is needed.
This method can succeed because of two possible reasons:

• a random process has an open handle to LSASS, and you can access this random process via your debug privs
• LSASS itself has an open handle to LSASS by default. You might ask: but then how is this different then the normal method. Well, Timmy, the reason is: to access only a process handle object in a given process you need different flags to open the process than if you'd like to read the same process' full memory. Antiviruses tend to focus on WE DEFEAT MIMIKATZ WARRGGGRGAHHH approach, so they (not all, hence you can't always win) specifically filter/block OpenProcess calls with that one specific flag value mimikatz uses. This method doesn't use that specific flag value therefore bypasses this filtering.

I hope this clears it up

from pypykatz.

Many thanks for the super quick response. Really understand the use case now and when this could be useful and when it will trigger/flag. Will close now.

Regards

from pypykatz.