the activity may be legitimate. powershell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.

t1003.001
windows
splunk

Techniques

T1003.001

Sample rules

Detect Mimikatz Via PowerShell And EventCode 4703

source: splunk
technicques:
- T1003.001

Description

This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.

Detection logic

`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe 
| rex field=Message "Enabled Privileges:\s+(?<privs>\w+)\s+Disabled Privileges:" 
| where privs="SeDebugPrivilege" 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message 
| rename privs as "Enabled Privilege" 
| rename Process_Name as process 
|  `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_mimikatz_via_powershell_and_eventcode_4703_filter`