Mimikatz credential dump tool: Author copywrite

Hunt Hypothesis

The hypothesis is that the detection of Mimikatz credential dump tool with an author copywrite may indicate an adversary attempting to exfiltrate credentials from a compromised system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or privilege escalation attempts early.

YARA Rule

rule hacktool_windows_mimikatz_copywrite
{
    meta:
        description = "Mimikatz credential dump tool: Author copywrite"
        reference = "https://github.com/gentilkiwi/mimikatz"
        author = "@fusionrace"
        md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
        md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
        md5_3 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
        md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
        md5_5 = "09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca"
        md5_6 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
        id = "6fe945de-6458-57ee-8a59-54ea85e56c91"
    strings:
        $s1 = "Kiwi en C" fullword ascii wide
        $s2 = "Benjamin DELPY `gentilkiwi`" fullword ascii wide
        $s3 = "http://blog.gentilkiwi.com/mimikatz" fullword ascii wide
        $s4 = "Build with love for POC only" fullword ascii wide
        $s5 = "gentilkiwi (Benjamin DELPY)" fullword wide
        $s6 = "KiwiSSP" fullword wide
        $s7 = "Kiwi Security Support Provider" fullword wide
        $s8 = "kiwi flavor !" fullword wide
    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://github.com/gentilkiwi/mimikatz
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that includes the string “Author copywrite” as part of a comment or documentation.
  Filter/Exclusion: Exclude processes associated with known system maintenance tasks (e.g., Task Scheduler or schtasks.exe), or filter by process name and command line arguments.

• Scenario: Admin Script for Credential Management
  Description: An administrator uses a custom script or tool (e.g., PowerShell or Python) that includes the string “Author copywrite” in a comment or license notice.
  Filter/Exclusion: Exclude processes initiated by admin accounts with known credential management tools (e.g., PowerShell.exe with runas or sudo), or filter by user context.

• Scenario: Log File Parsing or Monitoring Tool
  Description: A log parsing tool (e.g., Splunk, ELK Stack, or Graylog) includes the string “Author copywrite” in its configuration or log output.
  Filter/Exclusion: Exclude processes related to log management tools (e.g., splunkd.exe, logstash, or graylog-server), or filter by process name and command line arguments.

• Scenario: Software License Compliance Check
  Description: A compliance tool (e.g., LicenseChecker, Software Asset Management (SAM) tool) includes the string “Author copywrite” in its output or logs.
  Filter/Exclusion: Exclude processes related to license compliance tools (e.g., licensechecker.exe, samtool.exe), or filter by process name and user context.

• Scenario: Third-Party Tool with Embedded Copyright Notice
  Description: A third-party tool (e.g., Wireshark, Nmap, or `Metasp