Mimikatz MemSSP Log File Detection

This detection identifies the creation of the mimilsa.log file, a default log generated by the Mimikatz misc::memssp module. The misc::memssp module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
2. The attacker executes Mimikatz or a similar tool with the misc::memssp module.
3. Mimikatz injects a malicious SSP library (e.g., mimilib.dll) into the LSASS process (lsass.exe).
4. The injected SSP hooks into the authentication process.
5. When users log on to the system, the SSP captures their credentials.
6. The captured credentials are written to the mimilsa.log file, typically located in C:\Windows\System32\.
7. The attacker retrieves the mimilsa.log file to obtain the captured credentials.
8. The attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.

Impact

A successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.

Recommendation

• Deploy the Sigma rule Mimikatz Memssp Log File Detected to your SIEM and tune for your environment.
• Enable Sysmon file creation logging to detect the creation of mimilsa.log files.
• Investigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.
• Monitor for the presence of mimilib.dll and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.
• Review and restrict interactive logons to high-value hosts to minimize the potential for credential theft.
• Investigate related alerts for the same host.id in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.