other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.

t1003
t1003.001
windows
splunk

Techniques

T1003
T1003.001

Sample rules

Detect Mimikatz Using Loaded Images

source: splunk
technicques:
- T1003.001
- T1003

Description

This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.

Detection logic

`sysmon` EventCode=7 
| stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image 
| search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_mimikatz_using_loaded_images_filter`