valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c2e621cf08
SigmaHQ/rules/windows/builtin/win_alert_mimikatz_keywords.yml
Karneades 68fd20cb66 fix: bound windows event log rules to message field 
Fixed rules
- rules/windows/builtin/win_susp_msmpeng_crash.yml
- rules/windows/builtin/win_alert_active_directory_user_control.yml
- rules/windows/builtin/win_av_relevant_match.yml
- rules/windows/builtin/win_mal_creddumper.yml
- rules/windows/builtin/win_susp_sam_dump.yml
- rules/windows/builtin/win_alert_mimikatz_keywords.yml
- rules/windows/builtin/win_alert_enable_weak_encryption.yml
2019-11-02 11:25:29 +01:00

33 lines
866 B
YAML
Raw Blame History

title: Mimikatz Use
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
author: Florian Roth
date: 2017/01/10
modified: 2019/10/11
tags:
- attack.s0002
- attack.t1003
- attack.lateral_movement
- attack.credential_access
- car.2013-07-001
- car.2019-04-004
logsource:
product: windows
detection:
keywords:
Message:
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
- "* eo.oe.kiwi *"
- "* privilege::debug *"
- "* sekurlsa::logonpasswords *"
- "* lsadump::sam *"
- "* mimidrv.sys *"
- "* p::d *"
- "* s::l *"
condition: keywords
falsepositives:
- Naughty administrators
- Penetration test
level: critical
Reference in New Issue View Git Blame Copy Permalink