Mimikatz credential dump tool: Modules

Hunt Hypothesis

The detection identifies potential use of Mimikatz modules to extract credentials from memory, indicating possible lateral movement or privilege escalation by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to credential theft activities early in the attack lifecycle.

YARA Rule

rule hacktool_windows_mimikatz_modules
{
    meta:
        description = "Mimikatz credential dump tool: Modules"
        reference = "https://github.com/gentilkiwi/mimikatz"
        author = "@fusionrace"
        modified = "2023-07-26"
        md5_1 = "0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8"
        md5_2 = "0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b"
        md5_3 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
        md5_4 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
        md5_5 = "0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143"
        id = "c614db69-7e55-5442-b25d-d31ba5df4ca8"
    strings:
        $s1 = "mimilib" fullword ascii wide
        $s2 = "mimidrv" fullword ascii wide
        $s3 = "mimilove" fullword ascii wide

        $fp1 = "SgrmEnclave" wide
        $fp2 = "Kaspersky Lab Anti-Rootkit Monitor Driver" wide
    condition:
        uint16(0) == 0x5a4d and filesize < 800KB and /* Added by Florian Roth to avoid false positives */
        1 of ($s*) and 
        not 1 of ($fp*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://github.com/gentilkiwi/mimikatz
• Source Rule

False Positive Guidance

• Scenario: Scheduled Credential Backup Job
  Description: A legitimate scheduled job runs a script to back up credentials for audit purposes using tools like vault or aws-cli.
  Filter/Exclusion: Exclude processes associated with known backup tools (e.g., vault, aws-cli, backup.exe) or filter by user account used for scheduled tasks (e.g., backup_svc).

• Scenario: Admin Task – Credential Synchronization
  Description: An administrator is using PowerShell or dsquery to synchronize credentials between domains or systems as part of routine maintenance.
  Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., Administrator, Domain Admins) or filter by command-line arguments containing synchronize, sync, or dsquery.

• Scenario: Security Tool Integration
  Description: A security tool like OSSEC or CrowdStrike is performing a credential audit or integrity check using Mimikatz as part of its detection capabilities.
  Filter/Exclusion: Exclude processes with parent processes from known security tools (e.g., ossec.exe, crowdstrike.exe) or filter by specific command-line arguments indicating a security audit.

• Scenario: PowerShell Script for Credential Management
  Description: A PowerShell script is used to manage credentials in a secure manner (e.g., using ConvertTo-SecureString or Get-Credential) and is part of a CI/CD pipeline.
  Filter/Exclusion: Exclude processes with command-line arguments containing PowerShell, ConvertTo-SecureString, or Get-Credential, or filter by user accounts associated with DevOps tools (e.g., jenkins, ci_user).

• Scenario: System Maintenance with PsExec
  Description: An admin is using PsExec to run a