Tag

Mimikatz

4 briefs RSS

Mimikatz MemSSP Log File Detection

This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.

Elastic Defend +3 credential-access mimikatz memssp windows

2r 1t 1i Jan 3, 2024

high advisory

Mimikatz MemSSP Log File Detection

2 rules 1 TTP 1 IOC

Detects the creation of 'mimilsa.log', the default log file created by the Mimikatz MemSSP module after injecting a malicious Security Support Provider into LSASS, potentially exposing credentials from subsequent logons on the host.

Microsoft Defender XDR +4 credential-access mimikatz lsass windows

2r 1t 1i Jan 3, 2024

high advisory

Detects Kirbi File Creation

2 rules 1 TTP

Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.

Microsoft Defender XDR +2 credential-access kerberos pass-the-ticket mimikatz rubeus

2r 1t Jan 3, 2024

critical advisory

Potential Invoke-Mimikatz PowerShell Script

2 rules 1 TTP

This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.

winlogbeat-* credential-access mimikatz powershell

2r 1t Jan 2, 2024