HackTool - Mimikatz Execution

 1title: HackTool - Mimikatz Execution
 2id: a642964e-bead-4bed-8910-1bb4d63e3b4d
 3status: test
 4description: Detection well-known mimikatz command line arguments
 5references:
 6    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 7    - https://tools.thehacker.recipes/mimikatz/modules
 8author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
 9date: 2019/10/22
10modified: 2023/02/21
11tags:
12    - attack.credential_access
13    - attack.t1003.001
14    - attack.t1003.002
15    - attack.t1003.004
16    - attack.t1003.005
17    - attack.t1003.006
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_tools_name:
23        CommandLine|contains:
24            - 'DumpCreds'
25            - 'mimikatz'
26    selection_function_names: # To cover functions from modules that are not in module_names
27        CommandLine|contains:
28            - '::aadcookie' # misc module
29            - '::detours' # misc module
30            - '::memssp' # misc module
31            - '::mflt' # misc module
32            - '::ncroutemon' # misc module
33            - '::ngcsign' # misc module
34            - '::printnightmare' # misc module
35            - '::skeleton' # misc module
36            - '::preshutdown'  # service module
37            - '::mstsc'  # ts module
38            - '::multirdp'  # ts module
39    selection_module_names:
40        CommandLine|contains:
41            - 'rpc::'
42            - 'token::'
43            - 'crypto::'
44            - 'dpapi::'
45            - 'sekurlsa::'
46            - 'kerberos::'
47            - 'lsadump::'
48            - 'privilege::'
49            - 'process::'
50            - 'vault::'
51    condition: 1 of selection_*
52falsepositives:
53    - Unlikely
54level: high