This detection rule is designed to identify the use of Mimikatz—a well-known post-exploitation tool—by looking for specific keywords associated with its various functionalities in Windows Event Logs. Mimikatz can be employed by attackers to extract plaintext passwords, hash dumps, Kerberos tickets, and more, facilitating lateral movement within a compromised network. The rule is focused on keywords that may still appear in older versions of Mimikatz, although these versions continue to be utilized by various threat actors. It filters events based on Event ID 15 to minimize noise and false positives. The detection logic employs keyword matching against the log data while excluding filtered events to ensure that only relevant instances are flagged. As Mimikatz variants evolve, the keywords in this rule must be updated periodically to ensure continued effectiveness against these threats. Therefore, extracting these keywords from various components of event logs can provide security teams with critical insights into potential credential theft and unauthorized access attempts.