Malware

MimiKatz

IoCs CSV 1 YARA rule

Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks. Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.

Indicators of Compromise 13

MITRE ATT&CK TTPs 10

YARA Detection Rules

MimiKatz_YARA_Detection
yara ai_generated
rule MimiKatz_Detection {
    meta:
        description = "Detects Mimikatz activity associated with CL-STA-1062 (UAT-7237) threat actor group"
        author = "AI Generated"

    strings:
        $s1 = "sekurlsa::logonpasswords" nocase
        $s2 = "sekurlsa::tickets" nocase
        $s3 = "sekurlsa::wanakey" nocase
        $s4 = "sekurlsa::ntlm" nocase
        $s5 = "sekurlsa::digest" nocase
        $s6 = "privilege::debug" nocase
        $s7 = "token::elevate" nocase
        $s8 = "mimikatz" nocase
        $s9 = "$Windows.Core$" nocase
        $s10 = "Authentication Package" nocase
        $s11 = "Microsoft Visual C++" in (section) ascii
        $s12 = "wdigest" nocase
        $s13 = "kerberos" nocase
        $s14 = "ssp" nocase
        $s15 = "crypto::cert" nocase
        $s16 = "ts::logonpasswords" nocase
        $s17 = "vault::list" nocase
        $s18 = "minidump" nocase
        $s19 = "lsadump::sam" nocase
        $s20 = "lsadump::secrets" nocase
        $s21 = "lsadump::cache" nocase
        $s22 = "kerberos::ptt" nocase
        $s23 = "golden" nocase
        $s24 = "silver" nocase
        $s25 = "pth" nocase
        $s26 = "OverTheRide" nocase
        $s27 = "misc::cmd" nocase
        $s28 = "standard output" nocase
        $s29 = "standard error" nocase
        $s30 = "sekurlsa::logonpasswords full" nocase

    condition:
        uint16(0) == 0x5A4D and 
        filesize < 300KB and 
        any of ($s*) and 
        not (filename matches /(^|.*[\\/])svchost\.exe$/i) and 
        not (filename matches /(^|.*[\\/])lsass\.exe$/i)

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles