Techniques
Sample rules
Mimikatz Use
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.006
Description
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Detection logic
condition: keywords and not filter
filter:
EventID: 15
keywords:
- dpapi::masterkey
- eo.oe.kiwi
- event::clear
- event::drop
- gentilkiwi.com
- kerberos::golden
- kerberos::ptc
- kerberos::ptt
- kerberos::tgt
- Kiwi Legit Printer
- 'lsadump::'
- mimidrv.sys
- \mimilib.dll
- misc::printnightmare
- misc::shadowcopies
- misc::skeleton
- privilege::backup
- privilege::debug
- privilege::driver
- 'sekurlsa::'