SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml

title: Mimikatz Use
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
tags:
    - attack.s0002
    - attack.t1003
    - attack.lateral_movement
    - attack.credential_access
    - car.2013-07-001
    - car.2019-04-004
logsource:
    product: windows
detection:
    keywords:
        - "* mimikatz *"
        - "* mimilib *"
        - "* <3 eo.oe *"
        - "* eo.oe.kiwi *"
        - "* privilege::debug *"
        - "* sekurlsa::logonpasswords *"
        - "* lsadump::sam *"
        - "* mimidrv.sys *"
    condition: keywords
falsepositives:
    - Naughty administrators
    - Penetration test
level: critical
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Mimikatz Use`
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.s0002`
ATT&CK tagging QA 2018-09-20 10:44:44 +00:00			`- attack.t1003`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`- attack.lateral_movement`
			`- attack.credential_access`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-07-001`
			`- car.2019-04-004`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Example Updates 2016-12-27 13:49:54 +00:00			`detection:`
			`keywords:`
Added wildcards to rule values These values appear somewhere in a log message, therefore wildcards are required. 2019-05-20 23:03:20 +00:00			`- "* mimikatz *"`
			`- "* mimilib *"`
			`- "* <3 eo.oe *"`
			`- "* eo.oe.kiwi *"`
			`- "* privilege::debug *"`
			`- "* sekurlsa::logonpasswords *"`
			`- "* lsadump::sam *"`
			`- "* mimidrv.sys *"`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`condition: keywords`
Example Updates 2016-12-27 13:49:54 +00:00			`falsepositives:`
			`- Naughty administrators`
Rule review * Typos * Added false positive descriptions 2017-02-24 22:44:42 +00:00			`- Penetration test`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: critical`