Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0002 ·

Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)
 2id: ca5d91c2-3411-4085-a003-d7df8ce60244
 3status: experimental
 4description: Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/threats/mimikatz/
 7    - https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)
 8author: RedCanary, Sigma formatting by Micah Babinski
 9date: 2023/05/10
10tags:
11    - attack.s0002
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains:
18            - 'sekurlsa::logonpasswords'
19            - 'lsadump::sam'
20            - 'sekurlsa::minidump'
21    condition: selection
22falsepositives:
23    - Unknown
24level: low```

References

Mimikatz - Red Canary Threat Detection Report

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords.

Read More
https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)

Read More

Related rules

Mimikatz .kirbi File Creation (RedCanary Threat Detection Report)

Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)

Sigma rule (View on GitHub)

References

Mimikatz - Red Canary Threat Detection Report

https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)

Related rules