MimiKatz (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mimikatz (Back to overview)

MimiKatz

Actor(s): APT32, Anunak, GALLIUM

Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.

Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.

References

2023-04-12 ⋅ Kaspersky Labs ⋅ Seongsu Park
Lazarus DeathNote campaign
Bankshot BLINDINGCAN MimiKatz Racket Downloader Volgmer

2023-04-03 ⋅ Mandiant ⋅ JASON DEYALSINGH, NICK SMITH, Eduardo Mattos, Tyler McLellan, Nick Richard
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
LaZagne BlackCat MimiKatz

2023-03-16 ⋅ Palo Alto Networks Unit 42 ⋅ Frank Lee, Scott Roland
Bee-Ware of Trigona, An Emerging Ransomware Strain
Cryakl MimiKatz Trigona

2023-01-23 ⋅ Kroll ⋅ Stephen Green, Elio Biasiotto
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2022-10-18 ⋅ Intrinsec ⋅ Intrinsec, CERT Intrinsec
APT27 – One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
HyperBro MimiKatz

2022-10-11 ⋅ AhnLab ⋅ ASEC Analysis Team
From Exchange Server vulnerability to ransomware infection in just 7 days
LockBit MimiKatz

2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4

2022-09-13 ⋅ Symantec ⋅ Threat Hunter Team
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT

2022-09-08 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura
Lazarus and the tale of three RATs
MagicRAT MimiKatz VSingle YamaBot

2022-09-07 ⋅ Blackberry ⋅ Anuj Soni, Ryan Chapman
The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
Conti MimiKatz Veeam Dumper

2022-09-06 ⋅ ESET Research ⋅ Thibaut Passilly
Worok: The big picture
MimiKatz PNGLoad reGeorg ShadowPad

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Research Team, Microsoft 365 Defender Threat Intelligence Team
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
MimiKatz

2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT

2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali
Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot

2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz

2022-07-26 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
Malicious IIS extensions quietly open persistent backdoors into servers
CHINACHOPPER MimiKatz

2022-07-26 ⋅ Mandiant ⋅ Thibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton

2022-07-18 ⋅ Censys ⋅ Censys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus

2022-06-30 ⋅ Kaspersky ⋅ Pierre Delcher
The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
MimiKatz Owlproxy SessionManager

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-06-20 ⋅ Infinitum IT ⋅ infinitum IT
Charming Kitten (APT35)
LaZagne DownPaper MimiKatz pupy

2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-06-01 ⋅ CISA ⋅ CISA, FBI, Department of the Treasury (Treasury), FINCEN
Alert (AA22-152A): Karakurt Data Extortion Group
MimiKatz

2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-06-01 ⋅ CISA ⋅ FBI, CISA, Department of the Treasury (Treasury), FINCEN
Joint Cybersecurity Advisory (Product ID AA22-152A): Karakurt Data Extortion Group
MimiKatz

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz

2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz

2022-04-05 ⋅ Symantec ⋅ Threat Hunter Team
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity
MimiKatz SodaMaster

2022-03-25 ⋅ Dragos ⋅ Conor McLaren, Dragos
How Dragos Activity Groups Obtain Initial Access into Industrial Environments
MimiKatz

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-03 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
MimiKatz xPack Antlion

2021-12-14 ⋅ Symantec ⋅ Threat Hunter Team
Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
MimiKatz

2021-12-06 ⋅ PARAFLARE ⋅ Melanie Ninovic
Attack Lifecycle Detection of an Operational Technology Breach
MimiKatz

2021-12-06 ⋅ Notice of Pleadings ⋅ Microsoft
Complaint filed by Microsoft against NICKEL/APT15
MimiKatz

2021-12-06 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
NICKEL targeting government organizations across Latin America and Europe
MimiKatz

2021-11-18 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
Iranian targeting of IT sector on the rise
MimiKatz ShellClient RAT

2021-11-05 ⋅ Twitter (@inversecos) ⋅ inversecos
TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-10-25 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack
MimiKatz

2021-10-15 ⋅ Volatility Labs ⋅ Volatility Labs
Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack
MimiKatz

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti

2021-09-09 ⋅ Symantec ⋅ Threat Hunter Team
Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk

2021-08-30 ⋅ Qianxin ⋅ Red Raindrop Team
Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz

2021-08-23 ⋅ FBI ⋅ FBI
Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team
UNC215: Spotlight on a Chinese Espionage Campaign in Israel
HyperBro HyperSSL MimiKatz

2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae

2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor

2021-06-29 ⋅ Accenture ⋅ Accenture Security
HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz

2021-05-18 ⋅ Sophos ⋅ John Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
The Active Adversary Playbook 2021
Cobalt Strike MimiKatz

2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili, Earle Earnshaw
Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz

2021-03-11 ⋅ DEVO ⋅ Fran Gomez
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda

2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-01-29 ⋅ Trend Micro ⋅ Trend Micro
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz

2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT
Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz

2021-01-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz
BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31
MimiKatz

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP

2020-12-21 ⋅ SlideShare (yurikamuraki5) ⋅ Yurika Kakiuchi
Active Directory 侵害と推奨対策
MimiKatz

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group

2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz

2020-12-04 ⋅ Theta ⋅ Hamish Krebs
Snakes & Ladders: the offensive use of Python on Windows
MimiKatz

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-30 ⋅ Yoroi ⋅ Luigi Martire, Antonio Pirozzi, Luca Mella
Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe

2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-10-23 ⋅ F-Secure Labs ⋅ Guillaume Couchard, Qimin Wang, Thiam Loong Siew
Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two
MimiKatz

2020-10-20 ⋅ F-Secure ⋅ F-Secure Consulting
Incident Readiness: Preparing a proactive response to attacks
MimiKatz

2020-10-01 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-09-17 ⋅ FBI ⋅ FBI
FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT

2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report
NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz

2020-08-10 ⋅ ZDNet ⋅ Catalin Cimpanu
FBI says an Iranian hacking group is attacking F5 networking devices
MimiKatz

2020-08-06 ⋅ Wired ⋅ Andy Greenberg
Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Red Charon

2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang
Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Red Charon

2020-06-24 ⋅ Counter Threat Unit ResearchTeam
BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31

2020-06-18 ⋅ Bundesamt für Verfassungsschutz ⋅ Bundesamt für Verfassungsschutz
BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne
Ketrican MimiKatz

2020-05-28 ⋅ Kaspersky Labs ⋅ Vyacheslav Kopeytsev
Steganography in targeted attacks on industrial enterprises
MimiKatz

2020-05-27 ⋅ FBI ⋅ FBI
Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity
MimiKatz

2020-05-21 ⋅ Bitdefender ⋅ Liviu Arsene, Bogdan Rusu
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi

2020-05-21 ⋅ ESET Research ⋅ Mathieu Tartare, Martin Smolár
No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz PipeMon

2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda

2020-05-14 ⋅ Lab52 ⋅ Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja
Sodinokibi / REvil ransomware
Maze MimiKatz REvil

2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp
Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Red Charon

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz

2020-02-02 ⋅ uf0 Blog ⋅ Matteo Malvica
Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD
MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31

2020 ⋅ Secureworks ⋅ SecureWorks
COBALT HICKMAN
MimiKatz Remexi APT39

2020 ⋅ Secureworks ⋅ SecureWorks
TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt

2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41

2019-06-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell

2019-05-10 ⋅ XPN Blog ⋅ Adam Chester
Exploring Mimikatz - Part 1 - WDigest
MimiKatz

2019-04-04 ⋅ CrowdStrike ⋅ Harlan Carvey
Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
MimiKatz

2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33

2019-01-04 ⋅ Github (gentilkiwi) ⋅ Benjamin Delpy
mimikatz Repository
MimiKatz

2018-07-25 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team, Network Protection Security Labs
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Imecab MimiKatz Sorgu RASPITE

2018-02-28 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi

2018-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER

2017-12-04 ⋅ RSA ⋅ Jack Wesley Riley
The Shadows of Ghosts Inside the response of a unique Carbanak intrusion
GOTROJ MimiKatz

2017-11-09 ⋅ Wired ⋅ Andy Greenberg
He Perfected a Password-Hacking Tool—Then the Russians Came Calling
MimiKatz

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24

2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm

2017-02-27 ⋅ Symantec ⋅ A L Johnson
Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten

2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff

2016-03-30 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER

2011-04-28 ⋅ Gentil Kiwi
Un observateur d’événements aveugle…
MimiKatz

Yara Rules

[TLP:WHITE] win_mimikatz_auto (20230407 | Detects win.mimikatz.)

rule win_mimikatz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.mimikatz."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f1 85d2 7406 2bca }
            // n = 4, score = 300
            //   f7f1                 | div                 ecx
            //   85d2                 | test                edx, edx
            //   7406                 | je                  8
            //   2bca                 | sub                 ecx, edx

        $sequence_1 = { 83f8ff 750e ff15???????? c7002a000000 }
            // n = 4, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   750e                 | jne                 0x10
            //   ff15????????         |                     
            //   c7002a000000         | mov                 dword ptr [eax], 0x2a

        $sequence_2 = { ff5028 8be8 85c0 787a }
            // n = 4, score = 200
            //   ff5028               | call                dword ptr [eax + 0x28]
            //   8be8                 | mov                 ebp, eax
            //   85c0                 | test                eax, eax
            //   787a                 | js                  0x7c

        $sequence_3 = { e8???????? 894720 85c0 7413 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   894720               | mov                 dword ptr [edi + 0x20], eax
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15

        $sequence_4 = { c3 81f998000000 7410 81f996000000 7408 81f99b000000 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   81f998000000         | cmp                 ecx, 0x98
            //   7410                 | je                  0x12
            //   81f996000000         | cmp                 ecx, 0x96
            //   7408                 | je                  0xa
            //   81f99b000000         | cmp                 ecx, 0x9b

        $sequence_5 = { f30f6f4928 f30f7f8c24a0000000 f30f6f4138 f30f7f8424b8000000 }
            // n = 4, score = 200
            //   f30f6f4928           | movdqu              xmm1, xmmword ptr [ecx + 0x28]
            //   f30f7f8c24a0000000     | movdqu    xmmword ptr [esp + 0xa0], xmm1
            //   f30f6f4138           | movdqu              xmm0, xmmword ptr [ecx + 0x38]
            //   f30f7f8424b8000000     | movdqu    xmmword ptr [esp + 0xb8], xmm0

        $sequence_6 = { 83f812 72f1 33c0 c3 }
            // n = 4, score = 200
            //   83f812               | cmp                 eax, 0x12
            //   72f1                 | jb                  0xfffffff3
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_7 = { 6683f83f 7607 32c0 e9???????? }
            // n = 4, score = 200
            //   6683f83f             | cmp                 ax, 0x3f
            //   7607                 | jbe                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_8 = { 3c02 7207 e8???????? eb10 }
            // n = 4, score = 200
            //   3c02                 | cmp                 al, 2
            //   7207                 | jb                  9
            //   e8????????           |                     
            //   eb10                 | jmp                 0x12

        $sequence_9 = { eb0c bfdfff0000 6623fe 6683ef07 8b742474 }
            // n = 5, score = 200
            //   eb0c                 | jmp                 0xe
            //   bfdfff0000           | mov                 edi, 0xffdf
            //   6623fe               | and                 di, si
            //   6683ef07             | sub                 di, 7
            //   8b742474             | mov                 esi, dword ptr [esp + 0x74]

        $sequence_10 = { 2bc1 85c9 7403 83c008 d1e8 }
            // n = 5, score = 200
            //   2bc1                 | sub                 eax, ecx
            //   85c9                 | test                ecx, ecx
            //   7403                 | je                  5
            //   83c008               | add                 eax, 8
            //   d1e8                 | shr                 eax, 1

        $sequence_11 = { 66894108 33c0 39410c 740b }
            // n = 4, score = 200
            //   66894108             | mov                 word ptr [ecx + 8], ax
            //   33c0                 | xor                 eax, eax
            //   39410c               | cmp                 dword ptr [ecx + 0xc], eax
            //   740b                 | je                  0xd

        $sequence_12 = { ff15???????? b940000000 8bd0 89442430 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b940000000           | mov                 ecx, 0x40
            //   8bd0                 | mov                 edx, eax
            //   89442430             | mov                 dword ptr [esp + 0x30], eax

        $sequence_13 = { ff15???????? b9e9fd0000 8905???????? ff15???????? }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b9e9fd0000           | mov                 ecx, 0xfde9
            //   8905????????         |                     
            //   ff15????????         |                     

        $sequence_14 = { c705????????cf2f4000 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 }
            // n = 7, score = 100
            //   c705????????cf2f4000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   0f84c1000000         | je                  0xc7

        $sequence_15 = { 83e001 51 894614 c7461ce0164000 }
            // n = 4, score = 100
            //   83e001               | and                 eax, 1
            //   51                   | push                ecx
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   c7461ce0164000       | mov                 dword ptr [esi + 0x1c], 0x4016e0

        $sequence_16 = { 0f854fffffff 85db 0f84b9000000 83fb04 }
            // n = 4, score = 100
            //   0f854fffffff         | jne                 0xffffff55
            //   85db                 | test                ebx, ebx
            //   0f84b9000000         | je                  0xbf
            //   83fb04               | cmp                 ebx, 4

        $sequence_17 = { c1f805 c1e606 033485c0e84600 8b45f8 8b00 }
            // n = 5, score = 100
            //   c1f805               | sar                 eax, 5
            //   c1e606               | shl                 esi, 6
            //   033485c0e84600       | add                 esi, dword ptr [eax*4 + 0x46e8c0]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_18 = { 99 83ec0c 53 83e203 }
            // n = 4, score = 100
            //   99                   | cdq                 
            //   83ec0c               | sub                 esp, 0xc
            //   53                   | push                ebx
            //   83e203               | and                 edx, 3

        $sequence_19 = { 8a10 88541df8 43 40 8945f4 }
            // n = 5, score = 100
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   88541df8             | mov                 byte ptr [ebp + ebx - 8], dl
            //   43                   | inc                 ebx
            //   40                   | inc                 eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_20 = { e8???????? 83c404 85c0 7510 8a45ff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]

        $sequence_21 = { e8???????? 83c404 8bf8 395d08 0f845f010000 c745f4c0884000 8b45f4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bf8                 | mov                 edi, eax
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   0f845f010000         | je                  0x165
            //   c745f4c0884000       | mov                 dword ptr [ebp - 0xc], 0x4088c0
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 1642496
}

[TLP:WHITE] win_mimikatz_w0 (20171230 | mimikatz)

/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
rule win_mimikatz_w0 {
	meta:
		description		= "mimikatz"
		author			= "Benjamin DELPY (gentilkiwi)"
		tool_author		= "Benjamin DELPY (gentilkiwi)"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_version = "20171230"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
		$exe_x86_2		= { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
		
		$exe_x64_1		= { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
		
		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

	condition:
		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}

Download all Yara Rules

MimiKatz Propose Change

References

Yara Rules

MimiKatz