Regular Mimikatz Usage Detection Expression

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups).

• Elastic Query

event.message:(*mimikatz* OR *mimilib* OR *<3\ eo.oe* OR *eo.oe.kiwi* OR *privilege\:\:debug* OR *sekurlsa\:\:logonpasswords* OR *lsadump\:\:sam* OR *mimidrv.sys*)

• QRadar AQL

SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and (search_payload ilike '%mimikatz%' or search_payload ilike '%mimilib%' or search_payload ilike '%<3 eo.oe%' or search_payload ilike '%eo.oe.kiwi%' or search_payload ilike '%privilege::debug%' or search_payload ilike '%sekurlsa::logonpasswords%' or search_payload ilike '%lsadump::sam%' or search_payload ilike '%mimidrv.sys%'))

• Splunk

("mimikatz" OR "mimilib" OR "<3 eo.oe" OR "eo.oe.kiwi" OR "privilege::debug" OR "sekurlsa::logonpasswords" OR "lsadump::sam" OR "mimidrv.sys")

• EDR Carbon Black

(mimikatz OR mimilib OR <3 eo.oe OR eo.oe.kiwi OR privilege::debug OR sekurlsa::logonpasswords OR lsadump::sam OR mimidrv.sys)

• Windows PowerShell

Get-WinEvent | where {($_.message -match "mimikatz" -or $_.message -match "mimilib" -or $_.message -match "<3 eo.oe" -or $_.message -match "eo.oe.kiwi" -or $_.message -match "privilege::debug" -or $_.message -match "sekurlsa::logonpasswords" -or $_.message -match "lsadump::sam" -or $_.message -match "mimidrv.sys") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

• Qualys

(mimikatz or mimilib or <3 eo.oe or eo.oe.kiwi or privilege::debug or sekurlsa::logonpasswords or lsadump::sam or mimidrv.sys)