rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml

title: Mimikatz In-Memory
id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e
status: experimental
description: Detects certain DLL loads when Mimikatz gets executed
references:
    - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
tags:
    - attack.s0002
    - attack.t1003
    - attack.lateral_movement
    - attack.credential_access
    - car.2019-04-004
logsource:
    product: windows
    service: sysmon
detection:
    selector:
        EventID: 7
        Image: 'C:\Windows\System32\rundll32.exe'
    dllload1:
        ImageLoaded: '*\vaultcli.dll'
    dllload2:
        ImageLoaded: '*\wlanapi.dll'        
    exclusion:
        ImageLoaded:
            - 'ntdsapi.dll'
            - 'netapi32.dll'
            - 'imm32.dll'
            - 'samlib.dll'
            - 'combase.dll'
            - 'srvcli.dll'
            - 'shcore.dll'
            - 'ntasn1.dll'
            - 'cryptdll.dll'
            - 'logoncli.dll'
    timeframe: 30s
    condition: selector | near dllload1 and dllload2 and not exclusion
falsepositives:
    - unknown
level: medium
Massive Title Cleanup 2018-01-27 10:57:30 +01:00			`title: Mimikatz In-Memory`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`status: experimental`
			`description: Detects certain DLL loads when Mimikatz gets executed`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/`
added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00			`tags:`
			`- attack.s0002`
atc review 2019-03-06 05:25:12 +01:00			`- attack.t1003`
added a few mitre attack tags to windows sysmon rules 2018-07-26 21:15:07 -07:00			`- attack.lateral_movement`
			`- attack.credential_access`
First Pass 2019-06-13 23:15:38 -05:00			`- car.2019-04-004`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`detection:`
Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00			`selector:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`EventID: 7`
			`Image: 'C:\Windows\System32\rundll32.exe'`
Proposed changes to mimimkatz-inmemory aggregation 2017-03-01 10:16:43 +01:00			`dllload1:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`ImageLoaded: '*\vaultcli.dll'`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`dllload2:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`ImageLoaded: '*\wlanapi.dll'`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`exclusion:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`ImageLoaded:`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`- 'ntdsapi.dll'`
			`- 'netapi32.dll'`
			`- 'imm32.dll'`
			`- 'samlib.dll'`
			`- 'combase.dll'`
			`- 'srvcli.dll'`
			`- 'shcore.dll'`
			`- 'ntasn1.dll'`
			`- 'cryptdll.dll'`
			`- 'logoncli.dll'`
Removed 'last' from timeframe 2017-08-05 00:32:24 +02:00			`timeframe: 30s`
Dropped within keyword 2017-10-30 00:25:56 +01:00			`condition: selector \| near dllload1 and dllload2 and not exclusion`
Renamed rule files, new rules 2017-02-10 19:17:02 +01:00			`falsepositives:`
			`- unknown`
Parsing of "near ... within" aggregation operator 2017-08-03 00:05:48 +02:00			`level: medium`