This detection rule identifies the execution of the Doppelanger hacktool, which is specifically designed to extract sensitive data from the LSASS process in Windows systems by employing a technique called process cloning. The method used by Doppelanger evades many traditional detection mechanisms, making it a notable tool for attackers aiming for credential access. The rule triggers an alert when the process 'Doppelganger.exe' is launched or when the hashes corresponding to known Doppelanger executables are detected. The detection criteria consist of checking if the image ends with '\Doppelganger.exe' or if the hashes contain specific IMPHASH values. Due to the nature of this attack, the rule may have a high false-positive rate, and careful analysis should be employed when interpreting the results. The current implementation and related references are still under experimental status, indicating ongoing updates and refinements in threat detection capabilities related to this tool.