Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)

May 10, 2023 · attack.s0002 ·

Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)
 2id: ca5d91c2-3411-4085-a003-d7df8ce60244
 3status: experimental
 4description: Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.
 5references:
 6    - https://redcanary.com/threat-detection-report/threats/mimikatz/
 7    - https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)
 8author: RedCanary, Sigma formatting by Micah Babinski
 9date: 2023/05/10
10tags:
11    - attack.s0002
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains:
18            - 'sekurlsa::logonpasswords'
19            - 'lsadump::sam'
20            - 'sekurlsa::minidump'
21    condition: selection
22falsepositives:
23    - Unknown
24level: low```

References

Mimikatz - Red Canary Threat Detection Report

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords.

Read More
https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)

Read More

Mimikatz Module Names in Command Line (RedCanary Threat Detection Report)

Sigma rule (View on GitHub)

References

Mimikatz - Red Canary Threat Detection Report

https://github.com/gentilkiwi/mimikatz/wiki (for additional module names)

Related rules