This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2019-12-03
- Author: Patrick Bareiss, Splunk
- ID: 29e307ba-40af-4ab2-91b2-3c6b392bbba0
Kill Chain Phase
- Actions on Objectives
- CIS 6
- CIS 8
1 2 3 4 5 6 7 `sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`
The SPL above uses the following Macros:
Note that detect_mimikatz_using_loaded_images_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named
sysmon. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
Known False Positives
Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.
Associated Analytic story
|64.0||80||80||A process, $Image$, has loaded $ImageLoaded$ that are typically related to credential dumping on $Computer$. Review for further details.|
source | version: 1