Adversaries may use encoded Mimikatz payloads embedded within non-executable file types to evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential dumping activities and mitigate lateral movement risks.
YARA Rule
rule StegoKatz
{
meta:
description = "Encoded Mimikatz in other file types"
author = "Florian Roth"
reference = "https://goo.gl/jWPBBY"
date = "2015-09-11"
score = 70
strings:
$s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii
$s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii
condition:
filesize < 1000KB and 1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to generate a base64-encoded payload for testing purposes.
Filter/Exclusion: Check for presence of powershell.exe in the process tree or filter out base64 strings that match known test payloads.
Scenario: A scheduled backup job is compressing and encoding log files using 7-Zip or WinRAR, which may include base64 encoding during compression.
Filter/Exclusion: Exclude files that are part of known backup directories or filter out base64 strings that match compression-related patterns.
Scenario: A Windows Update or Group Policy deployment script is using PowerShell to encode configuration data for secure transmission.
Filter/Exclusion: Exclude processes associated with wuauclt.exe, gpupdate.exe, or scripts located in the C:\Windows\System32\GroupPolicy directory.
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is using base64 encoding to pass credentials or secrets in logs or artifacts.
Filter/Exclusion: Exclude files or processes related to CI/CD tools, or filter out base64 strings that match known secret patterns or are within log files.
Scenario: A network monitoring tool (e.g., Wireshark, tcpdump) is capturing and displaying base64-encoded data during packet analysis.
Filter/Exclusion: Exclude files or processes related to network analysis tools, or filter out base64 strings that match known packet capture formats.