Potential Invoke-Mimikatz PowerShell Script
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Potential Invoke-Mimikatz PowerShell Script | Standard | Windows | Credential Access: OS Credential Dumping (T1003) | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access via drive-by download → Token manipulation → Script-based credential dumping using Invoke-Mimikatz → Domain credential harvesting → Unauthorized domain access
Impact
- Credential harvesting on privileged domains
- Ransomware deployment
- Domain-wide compromise
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "DumpCreds" AND SCRIPTEXECUTED contains "DumpCerts") OR SCRIPTEXECUTED contains "sekurlsa::logonpasswords" OR (SCRIPTEXECUTED contains "crypto::certificates" AND SCRIPTEXECUTED contains "CERT_SYSTEM_STORE_LOCAL_MACHINE") select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Credential Access: OS Credential Dumping (T1003)
Security standard:
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of the execution of suspicious PowerShell commands commonly associated with Invoke-Mimikatz. This enables you to enable Credential Guard or LSASS protection (RunAsPPL) to block memory dumping.
Author
Tim Rauch, Elastic (idea)
Future actions
Known False Positives
Mimikatz can be useful for testing the security of networks.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that clear command history and restrict script execution privileges to administrators only.
Mitigation
Mitigation IDs | Mitigation Name | Description |
Manage the access control list for "Replicating Directory Changes All" and other permissions related to domain controller replication. Consider adding users to the "Protected Users" Active Directory security group to help limit the caching of plaintext user credentials. | ||
For Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. | ||
On Windows 10, Microsoft introduced Credential Guard to protect LSA secrets that can be used for credential dumping. This feature is not configured by default and has specific hardware and firmware requirements. Note that it doesn't protect against all forms of credential dumping. | ||
Ensure that Domain Controller backups are properly secured and encrypted. | ||
Consider disabling or restricting NTLM and disabling WDigest authentication to reduce credential exposure. | ||
Enforce complex and unique passwords for local administrator accounts across all systems in your network. | ||
Windows: Avoid placing user or admin domain accounts into local administrator groups across systems unless tightly controlled, as this can be equivalent to having a local admin account with the same password everywhere. Follow best practices for designing and administering an enterprise network to limit privileged account use across administrative tiers. Linux: Scraping passwords from memory typically requires root privileges. Adhere to best practices for restricting access to privileged accounts to prevent malicious programs from accessing sensitive memory regions. | ||
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA to enhance security. | ||
Train users and administrators to avoid using the same password for multiple accounts to limit credential overlap across systems. |
