Detect Mimikatz Via Powershell And Eventcode 4703

Description

This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Credential Access

MITRE ATT&CK Techniques

OS Credential Dumping

LSASS Memory

MITRE Threat Groups

APT1
APT28
APT3
APT32
APT33
APT39
APT41
BRONZE BUTLER
Blue Mockingbird
Cleaver
FIN6
FIN8
Ke3chang
Lazarus Group
Leafminer
Leviathan
Magic Hound
MuddyWater
OilRig
PLATINUM
Sandworm Team
Silence
Soft Cell
Stolen Pencil
TEMP.Veles
Threat Group-3390
Whitefly

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Detect Mimikatz Via Powershell And Eventcode 4703 Help

You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes.

   Search

Open in Search