sigmahighHunting

Mimikatz Use

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

MITRE ATT&CK

S0002 T1003.002 T1003.004 T1003.001 T1003.006

lateral-movementcredential-access

Detection Query

keywords:
  - dpapi::masterkey
  - eo.oe.kiwi
  - event::clear
  - event::drop
  - gentilkiwi.com
  - kerberos::golden
  - kerberos::ptc
  - kerberos::ptt
  - kerberos::tgt
  - Kiwi Legit Printer
  - "lsadump::"
  - mimidrv.sys
  - \mimilib.dll
  - misc::printnightmare
  - misc::shadowcopies
  - misc::skeleton
  - privilege::backup
  - privilege::debug
  - privilege::driver
  - "sekurlsa::"
filter:
  EventID: 15
condition: keywords and not filter

Author

Florian Roth (Nextron Systems), David ANDRE (additional keywords)

Created

2017-01-10

Data Sources

windows

Platforms

windows

References

https://tools.thehacker.recipes/mimikatz/modules

Tags

attack.s0002attack.lateral-movementattack.credential-accesscar.2013-07-001car.2019-04-004attack.t1003.002attack.t1003.004attack.t1003.001attack.t1003.006

Raw Content

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
    - attack.s0002
    - attack.lateral-movement
    - attack.credential-access
    - car.2013-07-001
    - car.2019-04-004
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.001
    - attack.t1003.006
logsource:
    product: windows
detection:
    keywords:
        - 'dpapi::masterkey'
        - 'eo.oe.kiwi'
        - 'event::clear'
        - 'event::drop'
        - 'gentilkiwi.com'
        - 'kerberos::golden'
        - 'kerberos::ptc'
        - 'kerberos::ptt'
        - 'kerberos::tgt'
        - 'Kiwi Legit Printer'
        - 'lsadump::'
        - 'mimidrv.sys'
        - '\mimilib.dll'
        - 'misc::printnightmare'
        - 'misc::shadowcopies'
        - 'misc::skeleton'
        - 'privilege::backup'
        - 'privilege::debug'
        - 'privilege::driver'
        - 'sekurlsa::'
    filter:
        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
    condition: keywords and not filter
falsepositives:
    - Naughty administrators
    - AV Signature updates
    - Files with Mimikatz in their filename
level: high