The detection of the Invoke-mimikittenz.ps1 file indicates potential credential theft via memory scraping, a common technique used by adversaries to exfiltrate sensitive credentials from memory. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage credential theft for lateral movement and persistence.
YARA Rule
rule Invoke_mimikittenz {
meta:
description = "Detects Mimikittenz - file Invoke-mimikittenz.ps1"
author = "Florian Roth"
reference = "https://github.com/putterpanda/mimikittenz"
date = "2016-07-19"
score = 90
hash1 = "14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a"
strings:
$x1 = "[mimikittenz.MemProcInspector]" ascii
$s1 = "PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |" fullword ascii
$s2 = "IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);" fullword ascii
$s3 = "&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=" ascii
$s4 = "[DllImport(\"kernel32.dll\", SetLastError = true)]" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 60KB and 2 of them ) or $x1
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is running a legitimate PowerShell script named Invoke-mimikittenz.ps1 as part of a routine security tooling task.
Filter/Exclusion: Check for the presence of a known security tool or script in the file path, such as C:\Tools\Security\Invoke-mimikittenz.ps1, or use a process owner filter like Process.ParentProcessName == "Windows PowerShell" and Process.User == "Administrator".
Scenario: A scheduled job is configured to run a PowerShell script that uses the same name as the Mimikittenz script for internal automation.
Filter/Exclusion: Exclude scripts that are part of a known internal automation framework, such as C:\ScheduledJobs\AutoUpdate\Invoke-mimikittenz.ps1, or use a command-line argument check like CommandLine.Contains("--internal").
Scenario: A third-party security tool or endpoint protection software uses a script named Invoke-mimikittenz.ps1 as part of its own detection or remediation process.
Filter/Exclusion: Exclude files located in the directory of known security tools, such as C:\Program Files\EndpointProtection\Scripts\Invoke-mimikittenz.ps1, or use a process name filter like Process.Name == "EndpointProtectionService.exe".
Scenario: A DevOps pipeline runs a script named Invoke-mimikittenz.ps1 to perform credential rotation or system hardening.
Filter/Exclusion: Exclude scripts that are part of a CI/CD pipeline, such as those located in C:\DevOps\Pipelines\Scripts\Invoke-mimikittenz.ps1, or use a command-line argument check like CommandLine.Contains("--ci").
Scenario: A system update or patching tool runs a PowerShell script with the same name as Mimikittenz during a maintenance window