Mimikatz Module Names
Identifies processes in which Mimikatz module names are observed as command-line parameters. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Mimikatz Module Names
2id: 8628d9d9-3a53-4d2e-b1cf-1d2e606cfd1d
3status: experimental
4description: |
5 Identifies processes in which Mimikatz module names are observed as command-line parameters.
6 Part of the RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/threats/mimikatz/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.credential_access
13 - attack.t1003
14 - attack.s0002
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains:
21 - 'sekurlsa::logonpasswords'
22 - 'lsadump::sam'
23 - 'sekurlsa::tickets'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords.
Read More
Related rules
- Kerberos .kirbi Ticket Files
- SecretsDump File Modification
- Secretsdump.py Execution
- Suspicious Export Functionalities - Rundll32
- Capture Credentials with Rpcping.exe