sigma-rules/rules/windows/credential_access_mimikatz_powershell_module.toml

[metadata]
creation_date = "2020/12/07"
maturity = "development"
updated_date = "2021/09/09"

[rule]
author = ["Elastic"]
description = """
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many
other features that make it useful for testing the security of networks. This rule detects the Invoke-Mimikatz
PowerShell command.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Mimikatz Powershell Module Activity"
note = """## Triage and analysis

### Investigating Mimikatz PowerShell Activity

[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached
credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained
an initial foothold onto an endpoint and are looking to elevate privileges and seek out additional authentication objects
such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.

#### Possible investigation steps:
- This specific rule is based on Mimikatz command-line parameters used to dump credentials from the Local Security
Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it
typically represents an active adversary.
- Any kind of available host-based events or logs such as Windows Security Events, PowerShell logging and EDR events should
be used to seek further understanding around the events that led up to the rule as well as activity found shortly after the event.
- Further examination should include reviewing network logs to determine potential lateral movement.
- Validate that the source of the Mimikatz activity was not from an authorized source such as automated testing such as
Atomic Red Team or through offensive/compromise assessments.

### False Positive Analysis
- This rule should be on the higher confidence side of true positive activity therefore any testing such as offensive
/compromise engagements should be ruled out before invoking incident response procedures

### Related Rules
- Mimikatz Memssp Log File Detected
- Creation or Modification of Domain Backup DPAPI private key
- Modification of WDigest Security Provider

### Response and Remediation
- Immediate response should be taken to review, investigate and potentially isolate activity to prevent further post-compromise
behavior
- During credential dump compromises, investigate the registry in order to check the number of cached users that have
used the machine. These users should have their password reset.
- Validate that cleartext passwords are disabled in memory for use with `WDigest`.
- Look into preventing access to `LSASS` using capabilities such as LSA protection or leveraging AV/EDR tools that provide
this capability.
- This [resource](https://adsecurity.org/?page_id=1821) provided by ADSecurity should be used as required reading for
detecting/preventing and understanding the different Mimikatz components.
"""
references = ["https://attack.mitre.org/software/S0002/"]
risk_score = 99
rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46"
severity = "critical"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type in ("start", "process_started") and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe")
and process.args : ("*DumpCreds", "*Mimikatz*")
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"