{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/winlogbeat-/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["winlogbeat-*"],"_cs_severities":["critical"],"_cs_tags":["credential-access","mimikatz","powershell"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing Invoke-Mimikatz or Mimikatz commands, which are commonly used to extract sensitive information such as credentials, password stores, and certificates. The detection focuses on in-memory credential access, requiring thorough investigation and reconstruction of script context to assess the impact. The rule is designed to detect potential credential access attempts by identifying specific keywords and command patterns associated with Mimikatz usage within PowerShell script blocks. Defenders should prioritize investigations triggered by this rule due to the potential for significant compromise. The Elastic detection rule was last updated on 2026/04/24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a payload.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains obfuscated or encoded Mimikatz commands.\u003c/li\u003e\n\u003cli\u003eThe script leverages techniques to bypass AMSI (Anti-Malware Scan Interface) to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe script utilizes Invoke-Mimikatz or direct Mimikatz commands to dump credentials from memory (LSASS process).\u003c/li\u003e\n\u003cli\u003eThe attacker extracts password hashes, plaintext passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain access to sensitive data or critical systems, leading to data exfiltration or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of user accounts, including privileged accounts. This can lead to lateral movement within the network, access to sensitive data, and potential data exfiltration. Credential dumping via Mimikatz is a common technique used in many attacks, often leading to widespread damage and significant financial loss. The rule\u0026rsquo;s high risk score of 99 reflects the severe potential impact of this activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection, as specified in the \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM and tune it for your environment to detect potential Mimikatz usage within PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reconstructing the full PowerShell script block using \u003ccode\u003epowershell.file.script_block_id\u003c/code\u003e, \u003ccode\u003epowershell.sequence\u003c/code\u003e, and \u003ccode\u003epowershell.total\u003c/code\u003e as described in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events following the detection to identify potential credential dumps, archives, or exported certificates as highlighted in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-potential-invoke-mimikatz/","summary":"This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.","title":"Potential Invoke-Mimikatz PowerShell Script","url":"https://feed.craftedsignal.io/briefs/2024-01-02-potential-invoke-mimikatz/"}],"language":"en","title":"CraftedSignal Threat Feed — Winlogbeat-*","version":"https://jsonfeed.org/version/1.1"}