Mimikatz wrapper used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers are using a Mimikatz wrapper to extract credentials during lateral movement, indicating potential compromise of privileged accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats associated with Operation Cleaver.

YARA Rule

rule OPCLEAVER_zhmimikatz
{

    meta:
        description = "Mimikatz wrapper used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "MimikatzRunner"
        $s2 = "zhmimikatz"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job Running Mimikatz Wrapper for Credential Harvesting
  Description: A legitimate scheduled job is configured to run a Mimikatz wrapper script as part of a credential management process.
  Filter/Exclusion: Exclude processes initiated by a known legitimate service account or scheduled task with a specific name (e.g., CredentialHarvestingJob).

• Scenario: Admin Task Using Mimikatz Wrapper for Privileged Access
  Description: A system administrator uses a Mimikatz wrapper to extract credentials from memory for troubleshooting or auditing purposes.
  Filter/Exclusion: Exclude processes executed by a known admin account (e.g., Administrator) with a specific command-line argument or script name (e.g., Extract-PrivilegedCredentials.ps1).

• Scenario: PowerShell Script Using Mimikatz Wrapper for Debugging
  Description: A PowerShell script is used to invoke a Mimikatz wrapper for debugging purposes during a security assessment or penetration test.
  Filter/Exclusion: Exclude processes with a command-line argument containing --debug or --test, or executed from a known security assessment tool directory (e.g., C:\SecurityTools\).

• Scenario: Mimikatz Wrapper Used in a Validated Security Tool
  Description: A security tool or SIEM integration uses a Mimikatz wrapper to simulate credential extraction for testing or incident response.
  Filter/Exclusion: Exclude processes where the executable path matches a known security tool (e.g., C:\Program Files\SIEMTool\mimikatz_wrapper.exe).

• Scenario: Mimikatz Wrapper Used in a Legacy Authentication Migration
  Description: A Mimikatz wrapper is used during a legacy authentication migration to extract credentials for migration to a new authentication system.
  Filter/Exclusion: Exclude processes initiated by a migration service account (