← Library
kqlElastic-2.0from elastic/detection-rules

Potential Invoke-Mimikatz PowerShell Script

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1003.001T1649T1059T1059.001
Rule sourcerules/windows/credential_access_mimikatz_powershell_module.toml
event.category:process and host.os.type:windows and
powershell.file.script_block_text:(
  (DumpCreds and
  DumpCerts) or
  "sekurlsa::logonpasswords" or
  ("crypto::certificates" and
  "CERT_SYSTEM_STORE_LOCAL_MACHINE")
)