Mimikatz Wrapper used by attackers in Operation Cleaver

Hunt Hypothesis

The Mimikatz Wrapper detected in this rule indicates adversaries are leveraging it to extract credentials as part of the Operation Cleaver campaign, enabling lateral movement and persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.

YARA Rule

rule OPCLEAVER_mimikatzWrapper
{

    meta:
        description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "mimikatzWrapper"
        $s2 = "get_mimikatz"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job Running Mimikatz Wrapper for Credential Harvesting
  Description: A legitimate scheduled job is configured to run a Mimikatz wrapper script as part of a credential management process.
  Filter/Exclusion: Check for CommandLine containing --scheduled-job or --credential-management flags, or filter by process owner (e.g., domain\serviceaccount).

• Scenario: Admin Task to Retrieve Cached Credentials
  Description: A system administrator is performing a routine task to retrieve cached credentials using a Mimikatz wrapper for troubleshooting or auditing purposes.
  Filter/Exclusion: Filter by user account (e.g., domain\adminuser) and check for CommandLine containing --admin-task or --audit.

• Scenario: PowerShell Script Using Mimikatz Wrapper for Debugging
  Description: A PowerShell script is using a Mimikatz wrapper to debug authentication issues or test credential handling in a secure environment.
  Filter/Exclusion: Check for CommandLine containing --debug or --test, and verify the script path is within a known secure directory (e.g., C:\Tools\Debug).

• Scenario: Third-Party Tool Using Mimikatz for Credential Dumping
  Description: A third-party security tool is using a Mimikatz wrapper to perform a controlled credential dump as part of a security assessment.
  Filter/Exclusion: Filter by process name (e.g., securitytool.exe) and check for CommandLine containing --assessment or --secure-mode.

• Scenario: Mimikatz Wrapper Used in a Validated Security Tool
  Description: A validated security tool (e.g., Microsoft’s mimikatz wrapper) is being used in a red team exercise or penetration test with proper authorization.
  Filter/Exclusion: