Mimikatz Kirbi File Creation

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

Sigma rule (View on GitHub)

 1title: Mimikatz Kirbi File Creation
 2id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
 3related:
 4    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
 5      type: obsoletes
 6status: test
 7description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
 8references:
 9    - https://cobalt.io/blog/kerberoast-attack-techniques
10    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
11author: Florian Roth (Nextron Systems), David ANDRE
12date: 2021/11/08
13modified: 2023/02/16
14tags:
15    - attack.credential_access
16    - attack.t1558
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        TargetFilename|endswith:
23            - '.kirbi' # Kerberos tickets
24            - 'mimilsa.log' # MemSSP default file
25    condition: selection
26falsepositives:
27    - Unlikely
28level: critical

References

Related rules

to-top