mimikatz can be useful for testing the security of networks

t1003
windows
sigma

Techniques

t1003

Sample rules

Potential Invoke-Mimikatz PowerShell Script

source: sigma
technicques:
- t1003

Description

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Detection logic

condition: 1 of selection*
selection_1:
  ScriptBlockText|contains|all:
  - DumpCreds
  - DumpCerts
selection_2:
  ScriptBlockText|contains: sekurlsa::logonpasswords
selection_3:
  ScriptBlockText|contains|all:
  - crypto::certificates
  - CERT_SYSTEM_STORE_LOCAL_MACHINE