SigmaHQ/rules/windows/process_creation/win_mimikatz_command_line.yml

title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2020/09/01
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
    - attack.credential_access
    - attack.t1003          # an old one
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains:
            - DumpCreds
            - invoke-mimikatz
    selection_2:
        CommandLine|contains:
            - rpc
            - token
            - crypto
            - dpapi
            - sekurlsa
            - kerberos
            - lsadump
            - privilege
            - process
    selection_3:
        CommandLine|contains:
            - '::'
    condition: selection_1 or selection_2 and selection_3
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: medium
status: experimental
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Mimikatz Command Line`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: a642964e-bead-4bed-8910-1bb4d63e3b4d`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`description: Detection well-known mimikatz command line arguments`
			`author: Teymur Kheirkhabarov, oscd.community`
			`date: 2019/10/22`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`modified: 2020/09/01`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`references:`
			`- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment`
			`tags:`
			`- attack.credential_access`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`- attack.t1003 # an old one`
			`- attack.t1003.001`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.004`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`- attack.t1003.005`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.006`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_1:`
			`CommandLine\|contains:`
			`- DumpCreds`
			`- invoke-mimikatz`
			`selection_2:`
			`CommandLine\|contains:`
			`- rpc`
			`- token`
			`- crypto`
			`- dpapi`
			`- sekurlsa`
			`- kerberos`
			`- lsadump`
			`- privilege`
			`- process`
			`selection_3:`
			`CommandLine\|contains:`
			`- '::'`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`condition: selection_1 or selection_2 and selection_3`
oscd task #2 completed - new rules: + rules/windows/builtin/win_susp_lsass_dump_generic.yml + rules/windows/builtin/win_transferring_files_with_credential_data_via_ne twork_shares.yml + rules/windows/builtin/win_remote_registry_management_using_reg_utility.y ml + rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml + rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml + rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml + rules/windows/sysmon/sysmon_cred_dump_tools_dropped_files.yml + rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml + rules/windows/process_creation/process_creation_shadow_copies_creation.y ml + rules/windows/process_creation/process_creation_shadow_copies_deletion.y ml + rules/windows/process_creation/process_creation_copying_sensitive_files_ with_credential_data.yml + rules/windows/process_creation/process_creation_shadow_copies_access_sym link.yml + rules/windows/process_creation/process_creation_grabbing_sensitive_hives _via_reg.yml + rules/windows/process_creation/process_creation_mimikatz_command_line.ym l + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_dcsync.yml + rules/windows/unsupported_logic/builtin/dumping_ntds.dit_via_netsync.yml .yml - updated rules: + rules/windows/builtin/win_susp_raccess_sensitive_fext.yml + rules/windows/builtin/win_mal_creddumper.yml + rules/windows/builtin/win_mal_service_installs.yml + rules/windows/process_creation/win_susp_process_creations.yml + rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml + rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - deprecated rules: + rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml 2019-11-04 01:26:34 +00:00			`falsepositives:`
			`- Legitimate Administrator using tool for password recovery`
			`level: medium`
			`status: experimental`