Mimikatz Command Line With Ticket Export
Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
Sigma rule (View on GitHub)
1title: Mimikatz Command Line With Ticket Export
2id: 48e1dd43-c42f-4b3b-9011-a0ea1fab6b03
3description: Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
4author: thedfirreport
5date: 2021/01/18
6references:
7 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
8 - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mimikatz_command_line.yml
9tags:
10 - attack.credential_access
11 - attack.t1003
12 - attack.t1003.001
13 - attack.t1003.002
14 - attack.t1003.004
15 - attack.t1003.005
16 - attack.t1003.006
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_1:
22 CommandLine|contains:
23 - DumpCreds
24 - invoke-mimikatz
25 - mimikatz
26 selection_2:
27 CommandLine|contains:
28 - rpc
29 - token
30 - crypto
31 - dpapi
32 - sekurlsa
33 - kerberos
34 - lsadump
35 - privilege
36 - process
37 - export
38 - tickets
39 selection_3:
40 CommandLine|contains:
41 - '::'
42 condition: selection_1 or selection_2 and selection_3
43falsepositives:
44 - Legitimate Administrator using tool for password recovery
45level: medium
46status: experimental
References
Related rules
- Transferring Files with Credential Data via Network Shares - Zeek
- Possible Impacket SecretDump Remote Activity - Zeek
- Esentutl Volume Shadow Copy Service Keys
- NTDSutil Pulling of NTDS.dit File
- Abnormal LSASS Child and Parent Process Relationships