title: Mimikatz Command Line
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
description: Detection well-known mimikatz command line arguments
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*DumpCreds*'
    - '*invoke-mimikatz*'
  SELECTION_3:
    CommandLine:
    - '*rpc*'
    - '*token*'
    - '*crypto*'
    - '*dpapi*'
    - '*sekurlsa*'
    - '*kerberos*'
    - '*lsadump*'
    - '*privilege*'
    - '*process*'
  SELECTION_4:
    CommandLine:
    - '*::*'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
falsepositives:
- Legitimate Administrator using tool for password recovery
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2020/09/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
ruletype: SIGMA