Malware
MimiKatz
IoCs CSV
1 YARA rule
Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks. Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
Indicators of Compromise 13
Filename MyAppDomainManager.dll Filename PerfWatson2.exe Filename chrome_setup.zip SHA-256 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c SHA-256 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 SHA-256 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 SHA-256 cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 SHA-256 dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b SHA-256 f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 IP 139.180.134.221 IP 202.182.102.5 IP 45.32.113.172 IP 45.76.210.43
MITRE ATT&CK TTPs 10
T1003 T1021 T1055.003 T1059.001 T1071.001 T1074 T1082 T1110 T1212 T1485
OS Credential Dumping
Credential Access
Remote Services
Lateral Movement
Thread Execution Hijacking
Defense Evasion
PowerShell
Execution
Web Protocols
Command And Control
Data Staged
Collection
System Information Discovery
Discovery
Brute Force
Credential Access
Exploitation for Credential Access
Credential Access
Data Destruction
Impact
YARA Detection Rules
MimiKatz_YARA_Detection
yara ai_generated
rule MimiKatz_Detection {
meta:
description = "Detects Mimikatz activity associated with CL-STA-1062 (UAT-7237) threat actor group"
author = "AI Generated"
strings:
$s1 = "sekurlsa::logonpasswords" nocase
$s2 = "sekurlsa::tickets" nocase
$s3 = "sekurlsa::wanakey" nocase
$s4 = "sekurlsa::ntlm" nocase
$s5 = "sekurlsa::digest" nocase
$s6 = "privilege::debug" nocase
$s7 = "token::elevate" nocase
$s8 = "mimikatz" nocase
$s9 = "$Windows.Core$" nocase
$s10 = "Authentication Package" nocase
$s11 = "Microsoft Visual C++" in (section) ascii
$s12 = "wdigest" nocase
$s13 = "kerberos" nocase
$s14 = "ssp" nocase
$s15 = "crypto::cert" nocase
$s16 = "ts::logonpasswords" nocase
$s17 = "vault::list" nocase
$s18 = "minidump" nocase
$s19 = "lsadump::sam" nocase
$s20 = "lsadump::secrets" nocase
$s21 = "lsadump::cache" nocase
$s22 = "kerberos::ptt" nocase
$s23 = "golden" nocase
$s24 = "silver" nocase
$s25 = "pth" nocase
$s26 = "OverTheRide" nocase
$s27 = "misc::cmd" nocase
$s28 = "standard output" nocase
$s29 = "standard error" nocase
$s30 = "sekurlsa::logonpasswords full" nocase
condition:
uint16(0) == 0x5A4D and
filesize < 300KB and
any of ($s*) and
not (filename matches /(^|.*[\\/])svchost\.exe$/i) and
not (filename matches /(^|.*[\\/])lsass\.exe$/i) ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.