mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
44 lines
1.2 KiB
YAML
44 lines
1.2 KiB
YAML
title: Mimikatz Command Line
|
|
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
|
|
description: Detection well-known mimikatz command line arguments
|
|
author: Teymur Kheirkhabarov, oscd.community
|
|
date: 2019/10/22
|
|
modified: 2020/09/01
|
|
references:
|
|
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003 # an old one
|
|
- attack.t1003.001
|
|
- attack.t1003.002
|
|
- attack.t1003.004
|
|
- attack.t1003.005
|
|
- attack.t1003.006
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_1:
|
|
CommandLine|contains:
|
|
- DumpCreds
|
|
- invoke-mimikatz
|
|
selection_2:
|
|
CommandLine|contains:
|
|
- rpc
|
|
- token
|
|
- crypto
|
|
- dpapi
|
|
- sekurlsa
|
|
- kerberos
|
|
- lsadump
|
|
- privilege
|
|
- process
|
|
selection_3:
|
|
CommandLine|contains:
|
|
- '::'
|
|
condition: selection_1 or selection_2 and selection_3
|
|
falsepositives:
|
|
- Legitimate Administrator using tool for password recovery
|
|
level: medium
|
|
status: experimental
|