The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious Cylance component. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that may not be detected by traditional security controls.
YARA Rule
rule mimikatzWrapper : Toolkit
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "schtasks.exe"
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that uses curl or Invoke-WebRequest to fetch configuration data from an internal server.
Filter/Exclusion: process.parent.name != "taskeng.exe" or destination.uri contains "internal.company.com"
Scenario: A Docker container is running a service that periodically accesses an external API for metrics collection, using a tool like Prometheus or Grafana.
Filter/Exclusion: process.name contains "docker" or process.parent.name contains "dockerd"
Scenario: A System Center Configuration Manager (SCCM) agent is performing a software inventory scan and communicates with the SCCM server.
Filter/Exclusion: process.name contains "ccmexec.exe" or destination.ip in SCCM_server_IPs
Scenario: A Microsoft Intune client is syncing device compliance policies and is making outbound HTTP requests to Microsoft’s servers.
Filter/Exclusion: destination.uri contains "intune.microsoft.com" or process.name contains "intunewin.exe"