Detect Mimikatz Using Loaded Images
Description
This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2019-12-03
- Author: Patrick Bareiss, Splunk
- ID: 29e307ba-40af-4ab2-91b2-3c6b392bbba0
Annotations
ATT&CK
Kill Chain Phase
- Actions on Objectives
NIST
- DE.AE
- DE.CM
CIS20
- CIS 6
- CIS 8
CVE
Search
1
2
3
4
5
6
7
`sysmon` EventCode=7
| stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image
| search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mimikatz_using_loaded_images_filter`
Macros
The SPL above uses the following Macros:
Note that detect_mimikatz_using_loaded_images_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- EventCode
- ImageLoaded
- ProcessId
- Computer
- Image
How To Implement
This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named sysmon
. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Known False Positives
Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
64.0 | 80 | 80 | A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $Computer$. Review for further details. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1