Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Sigma rule (View on GitHub)
1title: Mimikatz Use
2id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
3status: test
4description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
5references:
6 - https://tools.thehacker.recipes/mimikatz/modules
7author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
8date: 2017/01/10
9modified: 2022/01/05
10tags:
11 - attack.s0002
12 - attack.lateral_movement
13 - attack.credential_access
14 - car.2013-07-001
15 - car.2019-04-004
16 - attack.t1003.002
17 - attack.t1003.004
18 - attack.t1003.001
19 - attack.t1003.006
20logsource:
21 product: windows
22detection:
23 keywords:
24 - 'dpapi::masterkey'
25 - 'eo.oe.kiwi'
26 - 'event::clear'
27 - 'event::drop'
28 - 'gentilkiwi.com'
29 - 'kerberos::golden'
30 - 'kerberos::ptc'
31 - 'kerberos::ptt'
32 - 'kerberos::tgt'
33 - 'Kiwi Legit Printer'
34 - 'lsadump::'
35 - 'mimidrv.sys'
36 - '\mimilib.dll'
37 - 'misc::printnightmare'
38 - 'misc::shadowcopies'
39 - 'misc::skeleton'
40 - 'privilege::backup'
41 - 'privilege::debug'
42 - 'privilege::driver'
43 - 'sekurlsa::'
44 filter:
45 EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
46 condition: keywords and not filter
47falsepositives:
48 - Naughty administrators
49 - AV Signature updates
50 - Files with Mimikatz in their filename
51level: high
References
Related rules
- Mimikatz Command Line With Ticket Export
- Transferring Files with Credential Data via Network Shares - Zeek
- Possible Impacket SecretDump Remote Activity - Zeek
- PowerShell Get-Process LSASS in ScriptBlock
- Windows Credential Editor Registry