Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
T1003 on the official MITRE ATT&CK siteT1003.001 on the official MITRE ATT&CK siteT1003.002 on the official MITRE ATT&CK siteT1003.006 on the official MITRE ATT&CK siteT1046 on the official MITRE ATT&CK siteT1057 on the official MITRE ATT&CK siteT1082 on the official MITRE ATT&CK siteT1083 on the official MITRE ATT&CK siteT1550.003 on the official MITRE ATT&CK siteT1556.001 on the official MITRE ATT&CK siteT1558 on the official MITRE ATT&CK siteT1558.001 on the official MITRE ATT&CK siteT1558.003 on the official MITRE ATT&CK site
NIST CSF 2.0
When to Use
- When proactively hunting for indicators of detecting mimikatz execution patterns in the environment
- After threat intelligence indicates active campaigns using these techniques
- During incident response to scope compromise related to these techniques
- When EDR or SIEM alerts trigger on related indicators
- During periodic security assessments and purple team exercises
Prerequisites
- EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne)
- SIEM with relevant log data ingested (Splunk, Elastic, Sentinel)
- Sysmon deployed with comprehensive configuration
- Windows Security Event Log forwarding enabled
- Threat intelligence feeds for IOC correlation
Workflow
- Formulate Hypothesis: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis.
- Identify Data Sources: Determine which logs and telemetry are needed to validate or refute the hypothesis.
- Execute Queries: Run detection queries against SIEM and EDR platforms to collect relevant events.
- Analyze Results: Examine query results for anomalies, correlating across multiple data sources.
- Validate Findings: Distinguish true positives from false positives through contextual analysis.
- Correlate Activity: Link findings to broader attack chains and threat actor TTPs.
- Document and Report: Record findings, update detection rules, and recommend response actions.
Key Concepts
| Concept | Description |
|---|---|
| T1003.001 | LSASS Memory |
| T1003.006 | DCSync |
| T1558.003 | Kerberoasting |
| T1558.001 | Golden Ticket |
Tools & Systems
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Common Scenarios
- Scenario 1: Standard sekurlsa::logonpasswords credential dump
- Scenario 2: PowerShell Invoke-Mimikatz reflective loading
- Scenario 3: DCSync from non-DC host
- Scenario 4: Golden ticket creation for persistence
Output Format
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1003.001
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.6 KB
API Reference: Detecting Mimikatz Execution Patterns
Mimikatz Command Signatures
| Command | MITRE | Impact |
|---|---|---|
sekurlsa::logonpasswords |
T1003.001 | Dump all credentials |
lsadump::dcsync |
T1003.006 | DCSync attack |
kerberos::golden |
T1558.001 | Golden Ticket |
kerberos::ptt |
T1550.003 | Pass-the-Ticket |
lsadump::sam |
T1003.002 | SAM dump |
misc::skeleton |
T1556.001 | Skeleton Key |
LSASS Dump Techniques
| Method | Detection Pattern |
|---|---|
| comsvcs.dll MiniDump | rundll32.*comsvcs.*MiniDump |
| ProcDump | procdump.*-ma.*lsass |
| SQLDumper | sqldumper.*lsass |
| .NET createdump | createdump.*lsass |
| PowerShell | Out-Minidump.*lsass |
Sysmon Detection Events
| Event ID | Usage |
|---|---|
| 1 | Process Create (mimikatz.exe) |
| 7 | Image Loaded (sekurlsa.dll) |
| 10 | Process Access (LSASS access mask) |
Splunk SPL Detection
index=sysmon (EventCode=1 OR EventCode=10)
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::golden|privilege::debug)")
OR (TargetImage="*\\lsass.exe" AND GrantedAccess IN ("0x1010","0x1FFFFF"))
| table _time Image CommandLine GrantedAccess ComputerYARA Rule
rule Mimikatz_Strings {
strings:
$s1 = "sekurlsa::logonpasswords" ascii wide
$s2 = "lsadump::dcsync" ascii wide
$s3 = "kerberos::golden" ascii wide
$s4 = "mimilib" ascii wide
condition:
any of them
}CLI Usage
python agent.py --evtx-file Sysmon.evtx
python agent.py --text-log process_audit.logstandards.md1.6 KB
Standards and References - Detecting Mimikatz Execution Patterns
MITRE ATT&CK Mappings
| Technique | Name | Description |
|---|---|---|
| T1003.001 | LSASS Memory | See attack.mitre.org/techniques/T1003/001 |
| T1003.006 | DCSync | See attack.mitre.org/techniques/T1003/006 |
| T1558.003 | Kerberoasting | See attack.mitre.org/techniques/T1558/003 |
| T1558.001 | Golden Ticket | See attack.mitre.org/techniques/T1558/001 |
Detection Data Sources
| Source | Event ID | Purpose |
|---|---|---|
| Sysmon | 1 | Process creation with command line |
| Sysmon | 3 | Network connection initiated |
| Sysmon | 7 | Image loaded (DLL) |
| Sysmon | 10 | Process access (LSASS) |
| Sysmon | 11 | File creation |
| Sysmon | 12/13 | Registry create/set |
| Sysmon | 22 | DNS query |
| Sysmon | 25 | Process tampering |
| Windows Security | 4624 | Successful logon |
| Windows Security | 4625 | Failed logon |
| Windows Security | 4648 | Explicit credential logon |
| Windows Security | 4672 | Special privileges assigned |
| Windows Security | 4688 | Process creation |
| Windows Security | 4697 | Service installed |
| Windows Security | 4698 | Scheduled task created |
| Windows Security | 4769 | Kerberos TGS requested |
| Windows Security | 5140 | Network share accessed |
References
- MITRE ATT&CK Framework: https://attack.mitre.org/
- Sigma Detection Rules: https://github.com/SigmaHQ/sigma
- LOLBAS Project: https://lolbas-project.github.io/
- Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team
- Red Canary Threat Detection Report
- SANS Threat Hunting Summit Resources
workflows.md2.8 KB
Detailed Hunting Workflow - Detecting Mimikatz Execution Patterns
Phase 1: Data Collection and Querying
Splunk SPL Query
index=sysmon EventCode=1
| where match(CommandLine, "(?i)(sekurlsa|lsadump|kerberos::list|privilege::debug|token::elevate|dpapi::)")
| table _time Computer User Image CommandLine ParentImageKQL Query (Microsoft Defender for Endpoint)
DeviceProcessEvents
| where ProcessCommandLine has_any ("sekurlsa","lsadump","kerberos::","privilege::debug")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLinePhase 2: Baseline and Anomaly Detection
Step 2.1 - Establish Normal Behavior Baseline
- Collect 30 days of historical data for the targeted technique
- Document expected patterns, frequencies, and legitimate use cases
- Identify known false positive sources and document exceptions
- Build statistical baseline (mean, standard deviation) for key metrics
Step 2.2 - Identify Anomalies
- Compare current activity against the 30-day baseline
- Flag events exceeding 3 standard deviations from normal
- Prioritize anomalies by risk score and potential business impact
- Cross-reference with threat intelligence for known IOCs
Phase 3: Investigation and Correlation
Step 3.1 - Deep Dive Analysis
- For each anomaly, collect full process tree context
- Correlate with network activity, file operations, and authentication events
- Check binary signatures, file hashes, and certificate validity
- Review user account context and access patterns
Step 3.2 - Attack Chain Reconstruction
- Map findings to MITRE ATT&CK kill chain stages
- Identify initial access vector if applicable
- Trace lateral movement and privilege escalation paths
- Determine data access and potential exfiltration
Phase 4: Validation and Response
Step 4.1 - True/False Positive Determination
- Verify findings with system owners and IT operations
- Check change management records for authorized activities
- Validate user context (authorized actions vs. compromised account)
- Document determination rationale for each finding
Step 4.2 - Response Actions
- For confirmed threats: initiate incident response procedures
- For detection gaps: create or update detection rules
- For false positives: tune existing rules and update exclusions
- Update threat hunting playbook with lessons learned
Phase 5: Documentation and Reporting
Step 5.1 - Hunt Report
- Summarize hypothesis, methodology, and findings
- Include all queries executed and their results
- Document IOCs discovered and detection rules created
- Provide recommendations for security improvements
Step 5.2 - Knowledge Base Update
- Add findings to threat intelligence platform
- Update MITRE ATT&CK coverage heatmap
- Share detection rules via Sigma format
- Schedule follow-up hunts for related techniques
Scripts 2
agent.py5.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Mimikatz execution pattern detection agent.
Detects Mimikatz and related credential theft tools by analyzing process
creation logs, LSASS access patterns, and known command-line signatures.
"""
import argparse
import json
import re
import sys
from datetime import datetime
try:
import Evtx.Evtx as evtx
except ImportError:
evtx = None
MIMIKATZ_CMDLINE_PATTERNS = [
(r"sekurlsa::logonpasswords", "CRITICAL", "Credential dump via sekurlsa"),
(r"sekurlsa::wdigest", "CRITICAL", "WDigest credential extraction"),
(r"sekurlsa::kerberos", "CRITICAL", "Kerberos ticket extraction"),
(r"lsadump::dcsync", "CRITICAL", "DCSync attack"),
(r"lsadump::sam", "CRITICAL", "SAM database dump"),
(r"lsadump::lsa\s*/patch", "CRITICAL", "LSA secrets dump"),
(r"kerberos::golden", "CRITICAL", "Golden Ticket creation"),
(r"kerberos::ptt", "HIGH", "Pass-the-Ticket"),
(r"privilege::debug", "HIGH", "Debug privilege escalation"),
(r"token::elevate", "HIGH", "Token elevation"),
(r"crypto::capi", "MEDIUM", "Certificate export"),
(r"dpapi::chrome", "HIGH", "Chrome credential extraction"),
(r"vault::cred", "HIGH", "Credential Vault access"),
(r"misc::skeleton", "CRITICAL", "Skeleton Key injection"),
]
MIMIKATZ_BINARY_INDICATORS = [
(r"mimikatz\.exe", "CRITICAL"),
(r"mimi(32|64)\.exe", "CRITICAL"),
(r"mimikittenz", "CRITICAL"),
(r"sekurlsa\.dll", "CRITICAL"),
(r"mimilib\.dll", "CRITICAL"),
(r"mimidrv\.sys", "CRITICAL"),
(r"kiwi_passwords", "CRITICAL"),
]
LSASS_DUMP_PATTERNS = [
(r"rundll32.*comsvcs.*MiniDump", "CRITICAL", "LSASS minidump via comsvcs.dll"),
(r"procdump.*-ma.*lsass", "HIGH", "LSASS dump via ProcDump"),
(r"sqldumper.*lsass", "HIGH", "LSASS dump via SQLDumper"),
(r"createdump.*lsass", "HIGH", "LSASS dump via .NET createdump"),
(r"taskmgr.*lsass.*dump", "MEDIUM", "LSASS dump via Task Manager"),
(r"Out-Minidump.*lsass", "CRITICAL", "PowerShell LSASS minidump"),
]
def scan_evtx(filepath):
if evtx is None:
return {"error": "python-evtx not installed: pip install python-evtx"}
findings = []
with evtx.Evtx(filepath) as log:
for record in log.records():
xml = record.xml()
event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
if not event_id_match:
continue
event_id = int(event_id_match.group(1))
if event_id not in (1, 4688, 10):
continue
cmdline = re.search(r'<Data Name="CommandLine">([^<]+)', xml)
image = re.search(r'<Data Name="Image">([^<]+)', xml)
new_proc = re.search(r'<Data Name="NewProcessName">([^<]+)', xml)
time_match = re.search(r'SystemTime="([^"]+)"', xml)
user = re.search(r'<Data Name="User">([^<]+)', xml)
cmd = cmdline.group(1) if cmdline else ""
proc = image.group(1) if image else (new_proc.group(1) if new_proc else "")
for pattern, severity in MIMIKATZ_BINARY_INDICATORS:
if re.search(pattern, proc, re.IGNORECASE):
findings.append({
"event_id": event_id,
"timestamp": time_match.group(1) if time_match else "",
"type": "mimikatz_binary",
"process": proc,
"severity": severity,
"mitre": "T1003.001",
})
for pattern, severity, desc in MIMIKATZ_CMDLINE_PATTERNS:
if re.search(pattern, cmd, re.IGNORECASE):
findings.append({
"event_id": event_id,
"timestamp": time_match.group(1) if time_match else "",
"type": "mimikatz_command",
"command": cmd[:300],
"description": desc,
"severity": severity,
"mitre": "T1003",
})
for pattern, severity, desc in LSASS_DUMP_PATTERNS:
if re.search(pattern, cmd, re.IGNORECASE):
findings.append({
"event_id": event_id,
"timestamp": time_match.group(1) if time_match else "",
"type": "lsass_dump",
"command": cmd[:300],
"description": desc,
"severity": severity,
"mitre": "T1003.001",
})
return findings
def scan_text_log(filepath):
findings = []
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
for num, line in enumerate(f, 1):
for pattern, severity, desc in MIMIKATZ_CMDLINE_PATTERNS + LSASS_DUMP_PATTERNS:
if re.search(pattern, line, re.IGNORECASE):
findings.append({
"line": num, "severity": severity,
"description": desc, "excerpt": line.strip()[:200],
})
return findings
def main():
parser = argparse.ArgumentParser(description="Mimikatz Execution Pattern Detector")
parser.add_argument("--evtx-file", help="Sysmon or Security EVTX file")
parser.add_argument("--text-log", help="Text log file to scan")
args = parser.parse_args()
results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
if args.evtx_file:
evtx_findings = scan_evtx(args.evtx_file)
if isinstance(evtx_findings, dict):
results.update(evtx_findings)
else:
results["findings"].extend(evtx_findings)
if args.text_log:
results["findings"].extend(scan_text_log(args.text_log))
results["total_findings"] = len(results["findings"])
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()
process.py3.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Mimikatz Detection - Analyzes logs for T1003.001 indicators."""
import json, csv, argparse, datetime, re
from collections import defaultdict
from pathlib import Path
DETECTION_PATTERNS = [
r'sekurlsa::',
r'lsadump::',
r'kerberos::list',
r'privilege::debug',
r'token::elevate',
r'dpapi::',
r'vault::cred',
r'crypto::cng',
r'Invoke-Mimikatz',
r'mimikatz',
r'gentilkiwi',
]
def parse_logs(path):
p = Path(path)
if p.suffix == ".json":
with open(p, encoding="utf-8") as f:
data = json.load(f)
return data if isinstance(data, list) else data.get("events", [])
elif p.suffix == ".csv":
with open(p, encoding="utf-8-sig") as f:
return [dict(r) for r in csv.DictReader(f)]
return []
def analyze_event(event):
cmd = event.get("CommandLine", event.get("command_line", event.get("ProcessCommandLine", "")))
content = event.get("Task_Content", event.get("Parameters", event.get("RawEventData", "")))
search_text = f"{cmd} {content}"
risk = 0
indicators = []
for pattern in DETECTION_PATTERNS:
if re.search(pattern, search_text, re.IGNORECASE):
risk += 25
indicators.append(f"Pattern match: {pattern}")
if not indicators:
return None
risk = min(risk, 100)
return {
"technique": "T1003.001",
"command_line": cmd[:500] if cmd else content[:500],
"hostname": event.get("Computer", event.get("DeviceName", event.get("hostname", "unknown"))),
"user": event.get("User", event.get("AccountName", event.get("UserId", "unknown"))),
"timestamp": event.get("_time", event.get("timestamp", event.get("UtcTime", event.get("Timestamp", "")))),
"risk_score": risk,
"risk_level": "CRITICAL" if risk >= 75 else "HIGH" if risk >= 50 else "MEDIUM" if risk >= 25 else "LOW",
"indicators": indicators,
}
def run_hunt(input_path, output_dir):
print(f"[*] Mimikatz Hunt - {datetime.datetime.now().isoformat()}")
events = parse_logs(input_path)
findings = [f for f in (analyze_event(e) for e in events) if f]
Path(output_dir).mkdir(parents=True, exist_ok=True)
slug = "detecting_mimikatz_e"
with open(Path(output_dir) / f"{slug}_findings.json", "w", encoding="utf-8") as f:
json.dump({"hunt_id": f"TH-{datetime.date.today()}", "total_events": len(events), "findings": findings}, f, indent=2)
with open(Path(output_dir) / "hunt_report.md", "w", encoding="utf-8") as f:
f.write(f"# Mimikatz Hunt Report\n\n")
f.write(f"**Date**: {datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")
f.write(f"**Findings**: {len(findings)}\n\n")
for finding in sorted(findings, key=lambda x: x["risk_score"], reverse=True)[:20]:
f.write(f"### [{finding['risk_level']}] {finding['technique']}\n")
f.write(f"- **Host**: {finding['hostname']}\n")
f.write(f"- **Indicators**: {', '.join(finding['indicators'])}\n\n")
print(f"[+] {len(findings)} findings written to {output_dir}")
def main():
p = argparse.ArgumentParser(description="Mimikatz Detection")
sp = p.add_subparsers(dest="cmd")
h = sp.add_parser("hunt"); h.add_argument("--input", "-i", required=True); h.add_argument("--output", "-o", default="./detecting_mimik_output")
sp.add_parser("queries")
args = p.parse_args()
if args.cmd == "hunt": run_hunt(args.input, args.output)
elif args.cmd == "queries":
print("=== Detection Queries ===")
print("See references/workflows.md for platform-specific queries")
else: p.print_help()
if __name__ == "__main__": main()
Assets 1
template.mdtext/markdown · 2.6 KBKeep exploring