Adversaries may use Mimikatz to extract credentials from memory, indicating potential lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft attempts early in the attack lifecycle.
YARA Rule
rule hacktool_windows_mimikatz_sekurlsa
{
meta:
description = "Mimikatz credential dump tool"
reference = "https://github.com/gentilkiwi/mimikatz"
author = "@fusionrace"
SHA256_1 = "09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669"
SHA256_2 = "004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c"
id = "a7eb069a-1f6f-5e54-9f34-83aa65fa345e"
strings:
$s1 = "dpapisrv!g_MasterKeyCacheList" fullword ascii wide
$s2 = "lsasrv!g_MasterKeyCacheList" fullword ascii wide
$s3 = "!SspCredentialList" ascii wide
$s4 = "livessp!LiveGlobalLogonSessionList" fullword ascii wide
$s5 = "wdigest!l_LogSessList" fullword ascii wide
$s6 = "tspkg!TSGlobalCredTable" fullword ascii wide
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled system maintenance using mimikatz for credential verification
Filter/Exclusion: Check for execution context (CommandLine or ProcessName) containing "mimikatz.exe" used in a known maintenance script or during a scheduled task with a specific user context (e.g., System or LocalSystem).
Scenario: Admin task to audit credentials using Mimikatz for security assessment
Filter/Exclusion: Filter events where the process is initiated by a known security tool or during a security audit, such as when mimikatz.exe is run by a user with the SecurityAdmin or AuditAdmin role.
Scenario: Automated credential rotation tool that uses Mimikatz for validation
Filter/Exclusion: Exclude processes where the command line includes parameters like /ptt or /in used for credential injection, and filter by known automation tools (e.g., PowerShell, Powershell.exe, or Credential Manager).
Scenario: Mimikatz used in a penetration test or red team exercise
Filter/Exclusion: Filter events where the process is initiated from a known test environment, such as a virtual machine or lab setup, and exclude processes with source IP addresses or user accounts associated with red team activities.
Scenario: Mimikatz used in a legitimate credential harvesting tool for enterprise security tools
Filter/Exclusion: Exclude processes where the command line includes parameters like /dump or /pass used for credential extraction, and filter by known enterprise security tools (e.g., Microsoft Defender for Identity, CrowdStrike, or Microsoft Advanced Threat Analytics).