detection.wiki

Detection rules › Sigma

HackTool - Mimikatz Execution

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
Source
github.com/SigmaHQ/sigma

Detection well-known mimikatz command line arguments

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.001 OS Credential Dumping: LSASS Memory, T1003.002 OS Credential Dumping: Security Account Manager, T1003.004 OS Credential Dumping: LSA Secrets, T1003.005 OS Credential Dumping: Cached Domain Credentials, T1003.006 OS Credential Dumping: DCSync

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaml

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

1 of selection_*

Stage 1: selection_tools_name

selection_tools_name:
    CommandLine|contains:
        - 'DumpCreds'
        - 'mimikatz'

Stage 2: selection_function_names

selection_function_names:
    CommandLine|contains:
        - '::aadcookie'
        - '::detours'
        - '::memssp'
        - '::mflt'
        - '::ncroutemon'
        - '::ngcsign'
        - '::printnightmare'
        - '::skeleton'
        - '::preshutdown'
        - '::mstsc'
        - '::multirdp'

Stage 3: selection_module_names

selection_module_names:
    CommandLine|contains:
        - 'rpc::'
        - 'token::'
        - 'crypto::'
        - 'dpapi::'
        - 'sekurlsa::'
        - 'kerberos::'
        - 'lsadump::'
        - 'privilege::'
        - 'process::'
        - 'vault::'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • ::aadcookie corpus 2 (sigma 1, chronicle 1)
  • ::detours corpus 2 (sigma 1, chronicle 1)
  • ::memssp corpus 2 (sigma 1, chronicle 1)
  • ::mflt corpus 2 (sigma 1, chronicle 1)
  • ::mstsc corpus 2 (sigma 1, chronicle 1)
  • ::multirdp corpus 2 (sigma 1, chronicle 1)
  • ::ncroutemon corpus 2 (sigma 1, chronicle 1)
  • ::ngcsign corpus 2 (sigma 1, chronicle 1)
  • ::preshutdown corpus 2 (sigma 1, chronicle 1)
  • ::printnightmare corpus 2 (sigma 1, chronicle 1)
  • ::skeleton corpus 2 (sigma 1, chronicle 1)
  • DumpCreds corpus 2 (sigma 1, chronicle 1)
  • crypto:: corpus 2 (sigma 1, chronicle 1)
  • dpapi:: corpus 3 (sigma 2, chronicle 1)
  • kerberos:: corpus 3 (sigma 2, chronicle 1)
  • lsadump:: corpus 3 (sigma 2, chronicle 1)
  • mimikatz corpus 2 (sigma 1, chronicle 1)
  • privilege:: corpus 3 (sigma 2, chronicle 1)
  • process:: corpus 2 (sigma 1, chronicle 1)
  • rpc:: corpus 3 (sigma 2, chronicle 1)
  • sekurlsa:: corpus 3 (sigma 2, chronicle 1)
  • token:: corpus 3 (sigma 2, chronicle 1)
  • vault:: corpus 2 (sigma 1, chronicle 1)