Mimikatz Use

 1title: Mimikatz Use
 2id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
 3status: test
 4description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 5references:
 6    - https://tools.thehacker.recipes/mimikatz/modules
 7author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 8date: 2017-01-10
 9modified: 2022-01-05
10tags:
11    - attack.s0002
12    - attack.lateral-movement
13    - attack.credential-access
14    - car.2013-07-001
15    - car.2019-04-004
16    - attack.t1003.002
17    - attack.t1003.004
18    - attack.t1003.001
19    - attack.t1003.006
20logsource:
21    product: windows
22detection:
23    keywords:
24        - 'dpapi::masterkey'
25        - 'eo.oe.kiwi'
26        - 'event::clear'
27        - 'event::drop'
28        - 'gentilkiwi.com'
29        - 'kerberos::golden'
30        - 'kerberos::ptc'
31        - 'kerberos::ptt'
32        - 'kerberos::tgt'
33        - 'Kiwi Legit Printer'
34        - 'lsadump::'
35        - 'mimidrv.sys'
36        - '\mimilib.dll'
37        - 'misc::printnightmare'
38        - 'misc::shadowcopies'
39        - 'misc::skeleton'
40        - 'privilege::backup'
41        - 'privilege::debug'
42        - 'privilege::driver'
43        - 'sekurlsa::'
44    filter:
45        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
46    condition: keywords and not filter
47falsepositives:
48    - Naughty administrators
49    - AV Signature updates
50    - Files with Mimikatz in their filename
51level: high