DustInDark
0cfa806baf
* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
47 lines
994 B
YAML
47 lines
994 B
YAML
|
|
title: Mimikatz Use
|
|
author: Florian Roth
|
|
date: 2017/01/10
|
|
description: This method detects mimikatz keywords in different Eventlogs (some of
|
|
them only appear in older Mimikatz version that are however still used by different
|
|
threat groups)
|
|
detection:
|
|
SELECTION_1:
|
|
- \mimikatz
|
|
- mimikatz.exe
|
|
- \mimilib.dll
|
|
- <3 eo.oe
|
|
- eo.oe.kiwi
|
|
- privilege::debug
|
|
- sekurlsa::logonpasswords
|
|
- lsadump::sam
|
|
- mimidrv.sys
|
|
- ' p::d '
|
|
- ' s::l '
|
|
- gentilkiwi.com
|
|
- Kiwi Legit Printer
|
|
condition: (SELECTION_1)
|
|
falsepositives:
|
|
- Naughty administrators
|
|
- Penetration test
|
|
- AV Signature updates
|
|
- Files with Mimikatz in their filename
|
|
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
modified: 2021/08/26
|
|
status: experimental
|
|
tags:
|
|
- attack.s0002
|
|
- attack.t1003
|
|
- attack.lateral_movement
|
|
- attack.credential_access
|
|
- car.2013-07-001
|
|
- car.2019-04-004
|
|
- attack.t1003.002
|
|
- attack.t1003.004
|
|
- attack.t1003.001
|
|
- attack.t1003.006
|
|
ruletype: SIGMA
|