Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Sigma rule (View on GitHub)
1title: Potential Invoke-Mimikatz PowerShell Script
2id: 189e3b02-82b2-4b90-9662-411eb64486d4
3status: test
4description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
5references:
6 - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/28
9tags:
10 - attack.credential_access
11 - attack.t1003
12logsource:
13 category: ps_script
14 product: windows
15detection:
16 selection_1:
17 ScriptBlockText|contains|all:
18 - 'DumpCreds'
19 - 'DumpCerts'
20 selection_2:
21 ScriptBlockText|contains: 'sekurlsa::logonpasswords'
22 selection_3:
23 ScriptBlockText|contains|all:
24 - 'crypto::certificates'
25 - 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
26 condition: 1 of selection*
27falsepositives:
28 - Mimikatz can be useful for testing the security of networks
29level: high
References
-
Potential Invoke-Mimikatz PowerShell Scriptedit Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it usef...
Read More
Related rules
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Hacktool Execution - PE Metadata
- Access To Browser Credential Files By Uncommon Application
- Credential Manager Access By Uncommon Application