Mimikatz credential dump tool: Files

Hunt Hypothesis

Adversaries may use Mimikatz to dump credentials from memory, indicating potential lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft activities early.

YARA Rule

rule hacktool_windows_mimikatz_files
{
    meta:
        description = "Mimikatz credential dump tool: Files"
        reference = "https://github.com/gentilkiwi/mimikatz"
        author = "@fusionrace"
        md5_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
        md5_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
        id = "a83b4d1e-23d1-5a58-9973-3c251c9c7c34"
    strings:
        $s1 = "kiwifilter.log" fullword wide
        $s2 = "kiwissp.log" fullword wide
        $s3 = "mimilib.dll" fullword ascii wide
    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/gentilkiwi/mimikatz
• Source Rule

False Positive Guidance

• Scenario: Scheduled Credential Backup Job
  Description: A legitimate scheduled task runs a script to back up credentials for auditing or compliance purposes using tools like vaultcmd or PowerShell with Invoke-Command.
  Filter/Exclusion: Exclude files or processes associated with known backup tools (e.g., vaultcmd.exe, PowerShell.exe with specific command-line arguments).

• Scenario: Admin Task for Password Reset
  Description: An administrator uses a script or tool like net user or PsExec to reset passwords on remote machines, which may trigger credential-related activity.
  Filter/Exclusion: Exclude processes initiated by admin accounts with known password reset scripts or tools (e.g., net.exe, PsExec.exe with specific command-line arguments).

• Scenario: System File Integrity Check
  Description: A system integrity check tool like Sysmon or File Integrity Monitor (FIM) may scan for changes to credential-related files, such as LSASS.exe or security.log.
  Filter/Exclusion: Exclude processes associated with integrity monitoring tools (e.g., Sysmon.exe, FIM.exe) or file access events related to system integrity checks.

• Scenario: Automated Patching Tool
  Description: A patching tool like Windows Update or SCCM may temporarily access credential files during system updates, which could be flagged by the rule.
  Filter/Exclusion: Exclude processes related to patching tools (e.g., wusa.exe, ccmexec.exe) or file access events during scheduled patch windows.

• Scenario: Logon Script Execution
  Description: A logon script using tools like PsExec or Pwsh may run credential-related commands during user logon, which could trigger the rule.
  *Filter/