Rules Contributing to Mimikatz Credential Dump Alert Type

The following rules are used to identify suspicious activity relating to potential Mimikatz memory dump. Any one or more of these will trigger the Mimikatz Credential Dump Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Mimikatz Credential Dump

The mask the suspicious process used to obtain access privilege. the different access_mask means different capability obtained by the suspicious process.

More details

Rule ID

mimikatz_mem_scan

Query

{'selection1': {'DetectionFlag': 2301}, 'selection2': {'SourceImage': ['C:\\Windows\\System32\\MsiExec.exe', 'C:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe', 'C:\\Program Files\\Guardicore\\gc-launcher.exe', 'c:\\Program Files\\Microsoft Security Client\\MsMpEng.exe']}, 'selection3': [{'SourceImage|re': 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent ([0-9]{2,3}\\.[0-9]\\.[0-9]\\.[0-9]{1,4})\\\\SentinelAgent\\.exe'}], 'condition': 'selection1 and not selection2 and not selection3'}

Detection Flag

Note: detection_flag is a Stellar enriched field.

2301: Mimikatz access to lsass.exe

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1003

References

N/A

Severity

Suppression Logic Based On

computer_name
access_subject
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021/12/13	critical	N/A