title: Mimikatz Usage
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
logsource:
    product: windows
detection:
    selection:
        EventLog:
            - Security 
            - System
            - Application
            - Microsoft-Windows-Sysmon/Operational
    keywords:
        - mimikatz
        - mimilib
        - <3 eo.oe
        - eo.oe.kiwi
        - privilege::debug
        - sekurlsa::logonpasswords
        - lsadump::sam
        - mimidrv.sys
    condition: selection and 1 of keywords
falsepositives:
    - Naughty administrators
    - Penetration test
level: critical