SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
date: 2017/01/10
modified: 2019/10/11
tags:
    - attack.s0002
    - attack.t1003          # an old one
    - attack.lateral_movement
    - attack.credential_access
    - car.2013-07-001
    - car.2019-04-004
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.001
    - attack.t1003.006
logsource:
    product: windows
detection:
    keywords:
        Message:
            - "* mimikatz *"
            - "* mimilib *"
            - "* <3 eo.oe *"
            - "* eo.oe.kiwi *"
            - "* privilege::debug *"
            - "* sekurlsa::logonpasswords *"
            - "* lsadump::sam *"
            - "* mimidrv.sys *"
            - "* p::d *"
            - "* s::l *"
    condition: keywords
falsepositives:
    - Naughty administrators
    - Penetration test
level: critical
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Mimikatz Use`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
rule: mimikatz use extended 2019-10-11 16:50:33 +00:00			`date: 2017/01/10`
			`modified: 2019/10/11`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.s0002`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1003 # an old one`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`- attack.lateral_movement`
			`- attack.credential_access`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-07-001`
			`- car.2019-04-004`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.004`
			`- attack.t1003.001`
			`- attack.t1003.006`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
			`keywords:`
fix: bound windows event log rules to message field Fixed rules - rules/windows/builtin/win_susp_msmpeng_crash.yml - rules/windows/builtin/win_alert_active_directory_user_control.yml - rules/windows/builtin/win_av_relevant_match.yml - rules/windows/builtin/win_mal_creddumper.yml - rules/windows/builtin/win_susp_sam_dump.yml - rules/windows/builtin/win_alert_mimikatz_keywords.yml - rules/windows/builtin/win_alert_enable_weak_encryption.yml 2019-11-02 10:25:29 +00:00			`Message:`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- "* mimikatz *"`
			`- "* mimilib *"`
			`- "* <3 eo.oe *"`
			`- "* eo.oe.kiwi *"`
			`- "* privilege::debug *"`
			`- "* sekurlsa::logonpasswords *"`
			`- "* lsadump::sam *"`
			`- "* mimidrv.sys *"`
			`- "* p::d *"`
			`- "* s::l *"`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`condition: keywords`
Example Updates 2016-12-27 13:49:54 +00:00			`falsepositives:`
			`- Naughty administrators`
Rule review * Typos * Added false positive descriptions 2017-02-24 22:44:42 +00:00			`- Penetration test`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: critical`