Detect Mimikatz Using Loaded Images

Original Source: [splunk source]
Name:Detect Mimikatz Using Loaded Images
id:29e307ba-40af-4ab2-91b2-3c6b392bbba0
version:2
date:2024-10-17
author:Patrick Bareiss, Splunk
status:deprecated
type:TTP
Description:This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.
Data_source:
  • -Sysmon EventID 7
search:`sysmon` EventCode=7
| stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by dest, Image
| search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `detect_mimikatz_using_loaded_images_filter`

how_to_implement:This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
known_false_positives:Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.
References:
  -https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Credential Dumping'
    - 'Detect Zerologon Attack'
    - 'Cloud Federated Credential Abuse'
    - 'DarkSide Ransomware'
    - 'CISA AA22-257A'
    - 'CISA AA22-264A'
    - 'CISA AA22-320A'
    - 'Sandworm Tools'
  asset_type:Windows
  confidence:80
  impact:80
  message:A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.
  mitre_attack_id:
    - 'T1003.001'
    - 'T1003'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'ImageLoaded'
    - 'ProcessId'
    - 'dest'
    - 'Image'
  risk_score:64
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


DarkSide Ransomware

Sandworm Tools

Detect Zerologon Attack

Credential Dumping

CISA AA22-264A

CISA AA22-320A

Cloud Federated Credential Abuse

CISA AA22-257A

© 2024 DetectionCode Website. All Rights Reserved.