SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mimikatz (Back to overview)

MimiKatz

Actor(s): APT32, Anunak, GALLIUM


There is no description at this point.

References
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-10ZDNetCatalin Cimpanu
@online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } FBI says an Iranian hacking group is attacking F5 networking devices
MimiKatz
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-18Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@techreport{verfassungsschutz:20200618:bfv:52dfe79, author = {Bundesamt für Verfassungsschutz}, title = {{BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne}}, date = {2020-06-18}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf}, language = {German}, urldate = {2020-06-18} } BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne
Ketrican MimiKatz
2020-05-28Kaspersky LabsVyacheslav Kopeytsev
@techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } Steganography in targeted attacks on industrial enterprises
MimiKatz
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18Cisco TalosVanja Svajcer
@online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-02uf0 BlogMatteo Malvica
@online{malvica:20200202:uncovering:ec2d3da, author = {Matteo Malvica}, title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}}, date = {2020-02-02}, organization = {uf0 Blog}, url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/}, language = {English}, urldate = {2020-02-03} } Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD
MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2019-12-17} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
MimiKatz Poison Ivy Operation Soft Cell
2019-05-10XPN BlogAdam Chester
@online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } Exploring Mimikatz - Part 1 - WDigest
MimiKatz
2019-04-04CrowdStrikeHarlan Carvey
@online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
MimiKatz
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-01-04Github (gentilkiwi)Benjamin Delpy
@online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } mimikatz Repository
MimiKatz
2018-07-25SymantecCritical Attack Discovery and Intelligence Team, Network Protection Security Labs
@online{team:20180725:leafminer:0591f9b, author = {Critical Attack Discovery and Intelligence Team and Network Protection Security Labs}, title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}}, date = {2018-07-25}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east}, language = {English}, urldate = {2020-04-21} } Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Imecab MimiKatz Sorgu RASPITE
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2017-11-09WiredAndy Greenberg
@online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } He Perfected a Password-Hacking Tool—Then the Russians Came Calling
MimiKatz
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff Anunak
2011-04-28Gentil Kiwi
@online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } Un observateur d’événements aveugle…
MimiKatz
Yara Rules
[TLP:WHITE] win_mimikatz_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_mimikatz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f8ff 750e ff15???????? c7002a000000 }
            // n = 4, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   750e                 | jne                 0x10
            //   ff15????????         |                     
            //   c7002a000000         | mov                 dword ptr [eax], 0x2a

        $sequence_1 = { f7f1 85d2 7406 2bca }
            // n = 4, score = 300
            //   f7f1                 | div                 ecx
            //   85d2                 | test                edx, edx
            //   7406                 | je                  8
            //   2bca                 | sub                 ecx, edx

        $sequence_2 = { 8905???????? ff15???????? b9e9fd0000 8905???????? ff15???????? }
            // n = 5, score = 200
            //   8905????????         |                     
            //   ff15????????         |                     
            //   b9e9fd0000           | mov                 ecx, 0xfde9
            //   8905????????         |                     
            //   ff15????????         |                     

        $sequence_3 = { eb5f b800ff0000 6685f8 0f859b000000 }
            // n = 4, score = 200
            //   eb5f                 | jmp                 0x61
            //   b800ff0000           | mov                 eax, 0xff00
            //   6685f8               | test                ax, di
            //   0f859b000000         | jne                 0xa1

        $sequence_4 = { 33c9 c70016000000 e8???????? 83c8ff eb20 }
            // n = 5, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb20                 | jmp                 0x22

        $sequence_5 = { 83f812 72f1 33c0 c3 }
            // n = 4, score = 200
            //   83f812               | cmp                 eax, 0x12
            //   72f1                 | jb                  0xfffffff3
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_6 = { 334c2430 0fa3d1 0f83e6000000 33d2 }
            // n = 4, score = 200
            //   334c2430             | xor                 ecx, dword ptr [esp + 0x30]
            //   0fa3d1               | bt                  ecx, edx
            //   0f83e6000000         | jae                 0xec
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 84c0 7423 834210fc 8b17 89531c }
            // n = 5, score = 200
            //   84c0                 | test                al, al
            //   7423                 | je                  0x25
            //   834210fc             | add                 dword ptr [edx + 0x10], -4
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   89531c               | mov                 dword ptr [ebx + 0x1c], edx

        $sequence_8 = { c3 81f998000000 7410 81f996000000 7408 }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   81f998000000         | cmp                 ecx, 0x98
            //   7410                 | je                  0x12
            //   81f996000000         | cmp                 ecx, 0x96
            //   7408                 | je                  0xa

        $sequence_9 = { 2bc1 85c9 7403 83c008 d1e8 8d441002 }
            // n = 6, score = 200
            //   2bc1                 | sub                 eax, ecx
            //   85c9                 | test                ecx, ecx
            //   7403                 | je                  5
            //   83c008               | add                 eax, 8
            //   d1e8                 | shr                 eax, 1
            //   8d441002             | lea                 eax, [eax + edx + 2]

        $sequence_10 = { 803964 7503 c60133 803833 }
            // n = 4, score = 200
            //   803964               | cmp                 byte ptr [ecx], 0x64
            //   7503                 | jne                 5
            //   c60133               | mov                 byte ptr [ecx], 0x33
            //   803833               | cmp                 byte ptr [eax], 0x33

        $sequence_11 = { e8???????? 84c0 7407 bb00000009 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   bb00000009           | mov                 ebx, 0x9000000

        $sequence_12 = { 6683f83f 7607 32c0 e9???????? }
            // n = 4, score = 200
            //   6683f83f             | cmp                 ax, 0x3f
            //   7607                 | jbe                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_13 = { 66ffc6 663b7302 72e0 eb0c }
            // n = 4, score = 200
            //   66ffc6               | inc                 si
            //   663b7302             | cmp                 si, word ptr [ebx + 2]
            //   72e0                 | jb                  0xffffffe2
            //   eb0c                 | jmp                 0xe

        $sequence_14 = { 50 68???????? c745fc00000000 ff15???????? 50 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   68????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_15 = { 5f c705????????00000000 c705????????00000000 5b c3 55 }
            // n = 6, score = 100
            //   5f                   | pop                 edi
            //   c705????????00000000     |     
            //   c705????????00000000     |     
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_16 = { 8890b0e74600 8899b0e74600 0fb690b0e74600 0fb6db 03d3 81e2ff000080 }
            // n = 6, score = 100
            //   8890b0e74600         | mov                 byte ptr [eax + 0x46e7b0], dl
            //   8899b0e74600         | mov                 byte ptr [ecx + 0x46e7b0], bl
            //   0fb690b0e74600       | movzx               edx, byte ptr [eax + 0x46e7b0]
            //   0fb6db               | movzx               ebx, bl
            //   03d3                 | add                 edx, ebx
            //   81e2ff000080         | and                 edx, 0x800000ff

        $sequence_17 = { eb12 8b45e0 8a80a4d54600 08443b1d 0fb64601 47 }
            // n = 6, score = 100
            //   eb12                 | jmp                 0x14
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8a80a4d54600         | mov                 al, byte ptr [eax + 0x46d5a4]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]
            //   47                   | inc                 edi

        $sequence_18 = { 85db 7e21 53 8d4d08 8d0437 51 50 }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7e21                 | jle                 0x23
            //   53                   | push                ebx
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   8d0437               | lea                 eax, [edi + esi]
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_19 = { 8bf8 83e70f 0fb6bf04b94600 0fb6da 03cf }
            // n = 5, score = 100
            //   8bf8                 | mov                 edi, eax
            //   83e70f               | and                 edi, 0xf
            //   0fb6bf04b94600       | movzx               edi, byte ptr [edi + 0x46b904]
            //   0fb6da               | movzx               ebx, dl
            //   03cf                 | add                 ecx, edi

        $sequence_20 = { 85f6 7415 837e1400 750f 8b462c }
            // n = 5, score = 100
            //   85f6                 | test                esi, esi
            //   7415                 | je                  0x17
            //   837e1400             | cmp                 dword ptr [esi + 0x14], 0
            //   750f                 | jne                 0x11
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]

        $sequence_21 = { 8b462c 85c0 7408 837e1800 7402 ffd0 e8???????? }
            // n = 7, score = 100
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   837e1800             | cmp                 dword ptr [esi + 0x18], 0
            //   7402                 | je                  4
            //   ffd0                 | call                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1642496
}
[TLP:WHITE] win_mimikatz_w0   (20171230 | mimikatz)
/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
rule win_mimikatz_w0 {
	meta:
		description		= "mimikatz"
		author			= "Benjamin DELPY (gentilkiwi)"
		tool_author		= "Benjamin DELPY (gentilkiwi)"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_version = "20171230"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
		$exe_x86_2		= { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
		
		$exe_x64_1		= { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
		
		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

	condition:
		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}
Download all Yara Rules