← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Invoke-Mimikatz PowerShell Script

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Quality
76
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003
Rule sourcerules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: ps_script
    product: windows
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'DumpCreds'
            - 'DumpCerts'
    selection_2:
        ScriptBlockText|contains: 'sekurlsa::logonpasswords'
    selection_3:
        ScriptBlockText|contains|all:
            - 'crypto::certificates'
            - 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
    condition: 1 of selection*
falsepositives:
    - Mimikatz can be useful for testing the security of networks
level: high