Detect Mimikatz Via PowerShell And EventCode 4663

Description

This search looks for PowerShell reading lsass memory consistent with credential dumping.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Credential Access

MITRE ATT&CK Techniques

OS Credential Dumping

MITRE Threat Groups

APT28
APT32
APT39
Axiom
Frankenstein
Leviathan
Poseidon Group
Sowbug
Suckfly

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Detect Mimikatz Via PowerShell And EventCode 4663 Help

This search looks for Windows Event Code(signature_id) 4663 (object access), where the process performing the access is PowerShell.exe, the target process of the access is lsass.exe, and the access mask is given as 0x10. This is consistent with the use of PowerShell to execute Mimikatz using sekurlsa::logonpasswords. It will return the host where the activity occurred, the process and associated id, the enabled privilege, and the message in the event.