HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
Sigma rule (View on GitHub)
1title: HackTool - Mimikatz Kirbi File Creation
2id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
3related:
4 - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
5 type: obsolete
6status: test
7description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
8references:
9 - https://cobalt.io/blog/kerberoast-attack-techniques
10 - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
11author: Florian Roth (Nextron Systems), David ANDRE
12date: 2021-11-08
13modified: 2024-06-27
14tags:
15 - attack.credential-access
16 - attack.t1558
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 TargetFilename|endswith:
23 - '.kirbi' # Kerberos tickets
24 - 'mimilsa.log' # MemSSP default file
25 condition: selection
26falsepositives:
27 - Unlikely
28level: critical
References
-
Read about Kerberoast attack techniques from the cybersecurity team at Cobalt with insights into a Kerberoast authentication attack using old & new techniques.
Read More -
Security support provider (SSP) is a Windows API which is used to extend the Windows authentication mechanism. The LSASS process is loading the security support provider DLL’s during Windows …
Read More
Related rules
- Replay Attack Detected
- Uncommon Outbound Kerberos Connection
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability