HackTool - Mimikatz Kirbi File Creation

Hunt Hypothesis

Adversaries may use Mimikatz to extract credentials and generate Kerberos tickets (kirbi files) to maintain persistence and move laterally within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and privilege escalation attempts early.

Detection Rule

Sigma (Original)

title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
      type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
    - https://cobalt.io/blog/kerberoast-attack-techniques
    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.kirbi' # Kerberos tickets
            - 'mimilsa.log' # MemSSP default file
    condition: selection
falsepositives:
    - Unlikely
level: critical

KQL (Azure Sentinel)

imFileEvent
| where TargetFileName endswith ".kirbi" or TargetFileName endswith "mimilsa.log"

False Positive Guidance

• Scenario: Scheduled Job for Credential Harvesting (Legitimate Use)
  Description: A scheduled job is configured to run Mimikatz for credential harvesting as part of a security assessment or penetration test.
  Filter/Exclusion: Exclude files created by Mimikatz when executed from a known security testing tool or script (e.g., C:\Tools\SecurityTesting\mimikatz.exe).

• Scenario: Admin Task for Kerberos Ticket Manipulation
  Description: An administrator is using Mimikatz to generate Kerberos tickets for legitimate access control or troubleshooting purposes.
  Filter/Exclusion: Exclude files created by Mimikatz when executed from a known administrative tool or script (e.g., C:\Windows\System32\mimikatz.exe or C:\Windows\System32\kerberos.exe).

• Scenario: File Creation by a Known Security Tool (e.g., Mimikatz in a Lab Environment)
  Description: Mimikatz is being used in a controlled lab or test environment to simulate Kerberos ticket creation.
  Filter/Exclusion: Exclude files created in a known test directory (e.g., C:\TestEnvironments\KerberosTest\).

• Scenario: File Creation by a Legitimate Kerberos Ticket Utility
  Description: A legitimate Kerberos ticket utility (e.g., klist, kinit) is generating files as part of normal Kerberos operations.
  Filter/Exclusion: Exclude files created by known Kerberos utilities (e.g., C:\Windows\System32\klist.exe or C:\Windows\System32\kinit.exe).

• Scenario: File Creation by a Third-Party Security Tool
  Description: A third-party security tool or SIEM integration is using Mimikatz to generate Kerberos tickets for monitoring or analysis.

MITRE ATT&CK Context

• Tactic: Credential Access
• Technique: T1558