SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
date: 2017/01/10
modified: 2019/10/11
tags:
    - attack.s0002
    - attack.t1003          # an old one
    - attack.lateral_movement
    - attack.credential_access
    - car.2013-07-001
    - car.2019-04-004
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.001
    - attack.t1003.006
logsource:
    product: windows
detection:
    keywords:
        Message|contains:
            - "mimikatz"
            - "mimilib"
            - "<3 eo.oe"
            - "eo.oe.kiwi"
            - "privilege::debug"
            - "sekurlsa::logonpasswords"
            - "lsadump::sam"
            - "mimidrv.sys"
            - " p::d "
            - " s::l "
    condition: keywords
falsepositives:
    - Naughty administrators
    - Penetration test
level: critical
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Mimikatz Use`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
rule: mimikatz use extended 2019-10-11 16:50:33 +00:00			`date: 2017/01/10`
			`modified: 2019/10/11`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.s0002`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1003 # an old one`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`- attack.lateral_movement`
			`- attack.credential_access`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-07-001`
			`- car.2019-04-004`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1003.002`
			`- attack.t1003.004`
			`- attack.t1003.001`
			`- attack.t1003.006`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
			`keywords:`
Update win_alert_mimikatz_keywords.yml 2020-10-15 18:11:10 +00:00			`Message\|contains:`
			`- "mimikatz"`
			`- "mimilib"`
			`- "<3 eo.oe"`
			`- "eo.oe.kiwi"`
			`- "privilege::debug"`
			`- "sekurlsa::logonpasswords"`
			`- "lsadump::sam"`
			`- "mimidrv.sys"`
			`- " p::d "`
			`- " s::l "`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`condition: keywords`
Example Updates 2016-12-27 13:49:54 +00:00			`falsepositives:`
			`- Naughty administrators`
Rule review * Typos * Added false positive descriptions 2017-02-24 22:44:42 +00:00			`- Penetration test`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: critical`