valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
15c6f9411b
SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml
Thomas Patzke 15c6f9411b Rule review 
* Typos
* Added false positive descriptions
2017-02-24 23:44:42 +01:00

27 lines
748 B
YAML
Raw Blame History

title: Mimikatz Usage
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
logsource:
product: windows
detection:
selection:
EventLog:
- Security
- System
- Application
- Microsoft-Windows-Sysmon/Operational
keywords:
- mimikatz
- mimilib
- <3 eo.oe
- eo.oe.kiwi
- privilege::debug
- sekurlsa::logonpasswords
- lsadump::sam
- mimidrv.sys
condition: selection and 1 of keywords
falsepositives:
- Naughty administrators
- Penetration test
level: critical
Reference in New Issue View Git Blame Copy Permalink