heroui logo

Detect Mimikatz With PowerShell Script Block Logging

Splunk Security Content

View Source
Summary
This analytic rule is designed to detect the execution of Mimikatz commands using PowerShell Script Block Logging. By monitoring EventCode 4104, it captures the complete script block sent to PowerShell, enabling the identification of specific suspicious commands such as 'mimikatz', 'sekurlsa::pth', and others associated with credential dumping and lateral movement techniques often used by attackers. The detection focuses on the capabilities of Mimikatz, a notorious tool used for obtaining credentials and enabling unauthorized access to sensitive information. The implementation of this rule requires PowerShell Script Block Logging to be enabled on the relevant endpoints, allowing for effective monitoring and response to potential threats posed by the misuse of PowerShell in the environment.
Categories
  • Endpoint
Data Sources
  • Pod
  • Container
  • User Account
  • Windows Registry
  • Script
  • Image
  • Web Credential
  • Named Pipe
  • Certificate
  • WMI
  • Cloud Storage
  • Internet Scan
  • Persona
  • Group
  • Application Log
  • Logon Session
  • Instance
  • Sensor Health
  • File
  • Drive
  • Snapshot
  • Command
  • Kernel
  • Driver
  • Volume
  • Cloud Service
  • Malware Repository
  • Network Share
  • Network Traffic
  • Scheduled Job
  • Firmware
  • Active Directory
  • Service
  • Domain Name
  • Process
  • Firewall
  • Module
ATT&CK Techniques
  • T1003
  • T1059.001
Created: 2024-11-13