EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - Mimikatz Execution

Detection well-known mimikatz command line arguments

MITRE ATT&CK

T1003.001T1003.002T1003.004T1003.005T1003.006
credential-access

Detection Query

selection_tools_name:
  CommandLine|contains:
    - DumpCreds
    - mimikatz
selection_function_names:
  CommandLine|contains:
    - ::aadcookie
    - ::detours
    - ::memssp
    - ::mflt
    - ::ncroutemon
    - ::ngcsign
    - ::printnightmare
    - ::skeleton
    - ::preshutdown
    - ::mstsc
    - ::multirdp
selection_module_names:
  CommandLine|contains:
    - "rpc::"
    - "token::"
    - "crypto::"
    - "dpapi::"
    - "sekurlsa::"
    - "kerberos::"
    - "lsadump::"
    - "privilege::"
    - "process::"
    - "vault::"
condition: 1 of selection_*

Author

Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton

Created

2019-10-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.001attack.t1003.002attack.t1003.004attack.t1003.005attack.t1003.006
Raw Content
title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high