← Back to SOC feed Coverage →

HackTool - Mimikatz Execution

sigma HIGH SigmaHQ
T1003.001T1003.002T1003.004T1003.005T1003.006
imProcessCreate
credential-theft
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-09T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detection well-known mimikatz command line arguments

Detection Rule

Sigma (Original)

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "DumpCreds" or TargetProcessCommandLine contains "mimikatz") or (TargetProcessCommandLine contains "::aadcookie" or TargetProcessCommandLine contains "::detours" or TargetProcessCommandLine contains "::memssp" or TargetProcessCommandLine contains "::mflt" or TargetProcessCommandLine contains "::ncroutemon" or TargetProcessCommandLine contains "::ngcsign" or TargetProcessCommandLine contains "::printnightmare" or TargetProcessCommandLine contains "::skeleton" or TargetProcessCommandLine contains "::preshutdown" or TargetProcessCommandLine contains "::mstsc" or TargetProcessCommandLine contains "::multirdp") or (TargetProcessCommandLine contains "rpc::" or TargetProcessCommandLine contains "token::" or TargetProcessCommandLine contains "crypto::" or TargetProcessCommandLine contains "dpapi::" or TargetProcessCommandLine contains "sekurlsa::" or TargetProcessCommandLine contains "kerberos::" or TargetProcessCommandLine contains "lsadump::" or TargetProcessCommandLine contains "privilege::" or TargetProcessCommandLine contains "process::" or TargetProcessCommandLine contains "vault::")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml