{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mimikatz/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["high"],"_cs_tags":["credential-access","mimikatz","memssp","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies the creation of the \u003ccode\u003emimilsa.log\u003c/code\u003e file, a default log generated by the Mimikatz \u003ccode\u003emisc::memssp\u003c/code\u003e module. The \u003ccode\u003emisc::memssp\u003c/code\u003e module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Mimikatz or a similar tool with the \u003ccode\u003emisc::memssp\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMimikatz injects a malicious SSP library (e.g., \u003ccode\u003emimilib.dll\u003c/code\u003e) into the LSASS process (\u003ccode\u003elsass.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected SSP hooks into the authentication process.\u003c/li\u003e\n\u003cli\u003eWhen users log on to the system, the SSP captures their credentials.\u003c/li\u003e\n\u003cli\u003eThe captured credentials are written to the \u003ccode\u003emimilsa.log\u003c/code\u003e file, typically located in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003emimilsa.log\u003c/code\u003e file to obtain the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMimikatz Memssp Log File Detected\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon file creation logging to detect the creation of \u003ccode\u003emimilsa.log\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of \u003ccode\u003emimilib.dll\u003c/code\u003e and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.\u003c/li\u003e\n\u003cli\u003eReview and restrict interactive logons to high-value hosts to minimize the potential for credential theft.\u003c/li\u003e\n\u003cli\u003eInvestigate related alerts for the same \u003ccode\u003ehost.id\u003c/code\u003e in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:00:00Z","date_published":"2024-01-03T17:00:00Z","id":"/briefs/2024-01-mimikatz-memssp-log/","summary":"This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.","title":"Mimikatz MemSSP Log File Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-mimikatz-memssp-log/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","pass-the-ticket","mimikatz","rubeus"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThe creation of \u003ccode\u003e.kirbi\u003c/code\u003e files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as \u003ccode\u003e.kirbi\u003c/code\u003e files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.\u003c/li\u003e\n\u003cli\u003eThe tool extracts Kerberos tickets from memory.\u003c/li\u003e\n\u003cli\u003eThe extracted tickets are saved to a \u003ccode\u003e.kirbi\u003c/code\u003e file on the filesystem. This file is often created in a temporary or easily accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or move the \u003ccode\u003e.kirbi\u003c/code\u003e file to evade detection or prepare it for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKirbi File Creation\u003c/code\u003e to your SIEM to detect the creation of \u003ccode\u003e.kirbi\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule, focusing on the process that created the file, the location of the file, and any follow-on activity.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-kirbi-file-creation/","summary":"Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.","title":"Detects Kirbi File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["winlogbeat-*"],"_cs_severities":["critical"],"_cs_tags":["credential-access","mimikatz","powershell"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing Invoke-Mimikatz or Mimikatz commands, which are commonly used to extract sensitive information such as credentials, password stores, and certificates. The detection focuses on in-memory credential access, requiring thorough investigation and reconstruction of script context to assess the impact. The rule is designed to detect potential credential access attempts by identifying specific keywords and command patterns associated with Mimikatz usage within PowerShell script blocks. Defenders should prioritize investigations triggered by this rule due to the potential for significant compromise. The Elastic detection rule was last updated on 2026/04/24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a payload.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script contains obfuscated or encoded Mimikatz commands.\u003c/li\u003e\n\u003cli\u003eThe script leverages techniques to bypass AMSI (Anti-Malware Scan Interface) to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe script utilizes Invoke-Mimikatz or direct Mimikatz commands to dump credentials from memory (LSASS process).\u003c/li\u003e\n\u003cli\u003eThe attacker extracts password hashes, plaintext passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to gain access to sensitive data or critical systems, leading to data exfiltration or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of user accounts, including privileged accounts. This can lead to lateral movement within the network, access to sensitive data, and potential data exfiltration. Credential dumping via Mimikatz is a common technique used in many attacks, often leading to widespread damage and significant financial loss. The rule\u0026rsquo;s high risk score of 99 reflects the severe potential impact of this activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection, as specified in the \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM and tune it for your environment to detect potential Mimikatz usage within PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by reconstructing the full PowerShell script block using \u003ccode\u003epowershell.file.script_block_id\u003c/code\u003e, \u003ccode\u003epowershell.sequence\u003c/code\u003e, and \u003ccode\u003epowershell.total\u003c/code\u003e as described in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events following the detection to identify potential credential dumps, archives, or exported certificates as highlighted in the rule\u0026rsquo;s notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-potential-invoke-mimikatz/","summary":"This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.","title":"Potential Invoke-Mimikatz PowerShell Script","url":"https://feed.craftedsignal.io/briefs/2024-01-02-potential-invoke-mimikatz/"}],"language":"en","title":"CraftedSignal Threat Feed — Mimikatz","version":"https://jsonfeed.org/version/1.1"}