The detection identifies potential Mimikatz credential dumping activity through error messages, which may indicate an adversary attempting to exfiltrate credentials from memory. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage lateral movement or privilege escalation attempts.
YARA Rule
rule hacktool_windows_mimikatz_errors
{
meta:
description = "Mimikatz credential dump tool: Error messages"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
id = "5b0c12f0-b182-5c24-bde5-2bb3bc2a5a8f"
strings:
$s1 = "[ERROR] [LSA] Symbols" fullword ascii wide
$s2 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii wide
$s3 = "[ERROR] [CRYPTO] Symbols" fullword ascii wide
$s4 = "[ERROR] [CRYPTO] Init" fullword ascii wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled Credential Backup Job
Description: A legitimate scheduled job runs to back up credentials using tools like vaultcmd or PowerShell scripts for backup purposes.
Filter/Exclusion: Check for known backup tools or scripts in the process name or command line arguments (e.g., vaultcmd, Backup-Credentials.ps1).
Scenario: Admin Task to Reset Passwords
Description: An administrator uses net user or PowerShell to reset user passwords, which may generate similar error messages as Mimikatz.
Filter/Exclusion: Filter by process name (cmd.exe, powershell.exe) and check for known admin tasks like net user or Set-LocalUser.
Scenario: System Event Log Parsing Tool
Description: A log parsing tool like EventLogParser or LogParser is used to analyze system logs and may trigger the rule due to error messages in logs.
Filter/Exclusion: Exclude processes related to log parsing tools or filter by process name (logparser.exe, eventlogparser.exe).
Scenario: Security Software Credential Audit
Description: Security tools like CrowdStrike Falcon or Microsoft Defender for Identity perform credential audits and may generate similar error messages during normal operations.
Filter/Exclusion: Check for known security tool process names or use a whitelist of allowed tools in the detection logic.
Scenario: User-Initiated Credential Reconciliation
Description: A user manually reconciles credentials using tools like LAPS (Local Administrator Password Solution) or Microsoft Password Replication Policy tools.
Filter/Exclusion: Filter by user context (e.g., NT AUTHORITY\SYSTEM or specific user accounts) or check for known reconciliation tools in the command line.