description: Mimikatz Usage
comment: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
detection:
selection:
- EventLog:
- Security
- System
- Application
keywords:
- mimikatz
- mimilib
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
condition: selection and 1 of keywords
falsepositives:
- Naughty administrators
- Penetraion test
level: 100
