Mimikatz Command Line With Ticket Export
Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
Sigma rule (View on GitHub)
1title: Mimikatz Command Line With Ticket Export
2id: 48e1dd43-c42f-4b3b-9011-a0ea1fab6b03
3status: experimental
4description: Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community
5author: thedfirreport
6date: 2021-01-18
7references:
8 - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
9 - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mimikatz_command_line.yml
10tags:
11 - attack.credential-access
12 - attack.t1003
13 - attack.t1003.001
14 - attack.t1003.002
15 - attack.t1003.004
16 - attack.t1003.005
17 - attack.t1003.006
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_1:
23 CommandLine|contains:
24 - DumpCreds
25 - invoke-mimikatz
26 - mimikatz
27 selection_2:
28 CommandLine|contains:
29 - rpc
30 - token
31 - crypto
32 - dpapi
33 - sekurlsa
34 - kerberos
35 - lsadump
36 - privilege
37 - process
38 - export
39 - tickets
40 selection_3:
41 CommandLine|contains: '::'
42 condition: (selection_1 or selection_2) and selection_3
43falsepositives:
44 - Legitimate Administrator using tool for password recovery
45level: medium
References
-
Hunting for Credentials Dumping in Windows Environment - Download as a PDF or view online for free
Read More
Related rules
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- HackTool - Mimikatz Execution
- Cred Dump Tools Dropped Files
- HackTool - Credential Dumping Tools Named Pipe Created