Detecting the presence of Mimikatz tool

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to detect instances of Mimikatz, a powerful tool that attackers often use to steal credentials from compromised systems. Mimikatz can extract passwords and other sensitive information from memory, bypass authentication mechanisms, and escalate privileges within a network.

Data source:

Windows: user account, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access

Techniques: T1003 OS Credential Dumping

Sub-techniques: T1003.001 - LSASS Memory, T1003.002 - Security Account Manager

Criteria:

Process name contains mimikatz: This part of the rule checks if the name of a running process contains "mimikatz".

Process name contains delpy: This checks if the process name includes "delpy". Delpy is a Python library sometimes misused for credential theft or other malicious activities

Process name contains gentilkiwi: This part looks for processes with "gentilkiwi" in the name. Gentilkiwi is another tool used for credential extraction and other privilege escalation techniques.

Command line contains mimikatz: This part checks the command line arguments used to launch a process. If the command line includes "mimikatz", the rule triggers even if the process name itself doesn't contain it explicitly.

When to enable this rule:

Enable this rule when the user wants to detect suspicious activity that might indicate credential theft attempts.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

Anomalies in System Process Execution (DE.AE-1): Unusual processes or command-line arguments that match known Mimikatz patterns. This includes unexpected invocation of credential dumping tools or utilities often leveraged by such tools.

Irregular Access to Credential Stores (DE.CM-1): Unauthorized access attempts or modifications to areas of the system where credentials are stored, such as the Security Accounts Manager (SAM) database, or creation of memory dumps from the Local Security Authority Subsystem Service (LSASS) process.

Unusual Network Traffic Patterns (DE.AE-1): Detection of network traffic to uncommon ports or endpoints, which may indicate data exfiltration attempts characteristic of the post-exploitation phase following the use of Mimikatz.

Security Log Anomalies (DE.CM-7): Alerts or log entries showing clear signs of tampering, deletion, or suspicious activities closely associated with credential theft operations, including the use of privilege escalation techniques and attempts to access secure system areas.

CIS:

Control 8: Malware Defense: Ensure mechanisms are in place to detect and prevent the execution of malicious code at multiple points in the enterprise, with a focus on detecting tools like Mimikatz.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Collect, manage, and analyze audit logs to detect anomalies in system behavior, unauthorized access attempts, and other indicators of compromise.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.