SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mimikatz (Back to overview)

MimiKatz

Actor(s): APT32, Anunak, GALLIUM


There is no description at this point.

References
2021-12-14SymantecThreat Hunter Team
@online{team:20211214:espionage:5b6cf02, author = {Threat Hunter Team}, title = {{Espionage Campaign Targets Telecoms Organizations across Middle East and Asia}}, date = {2021-12-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east}, language = {English}, urldate = {2021-12-31} } Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
MimiKatz
2021-12-06MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
@online{mstic:20211206:nickel:115c365, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{NICKEL targeting government organizations across Latin America and Europe}}, date = {2021-12-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/}, language = {English}, urldate = {2021-12-08} } NICKEL targeting government organizations across Latin America and Europe
MimiKatz
2021-12-06Notice of PleadingsMicrosoft
@online{microsoft:20211206:complaint:035d577, author = {Microsoft}, title = {{Complaint filed by Microsoft against NICKEL/APT15}}, date = {2021-12-06}, organization = {Notice of Pleadings}, url = {https://noticeofpleadings.com/nickel/#}, language = {English}, urldate = {2021-12-08} } Complaint filed by Microsoft against NICKEL/APT15
MimiKatz
2021-11-18MicrosoftMicrosoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU)
@online{mstic:20211118:iranian:911ab04, author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU)}, title = {{Iranian targeting of IT sector on the rise}}, date = {2021-11-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/}, language = {English}, urldate = {2021-11-19} } Iranian targeting of IT sector on the rise
MimiKatz ShellClient RAT
2021-11-05Twitter (@inversecos)inversecos
@online{inversecos:20211105:ttps:2b9481e, author = {inversecos}, title = {{TTPs used by Pysa Ransonmware group}}, date = {2021-11-05}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1456486725664993287}, language = {English}, urldate = {2021-11-08} } TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz
2021-11-01AccentureHeather Larrieu, Curt Wilson, Katrina Hill
@online{larrieu:20211101:diving:a732a35, author = {Heather Larrieu and Curt Wilson and Katrina Hill}, title = {{Diving into double extortion campaigns}}, date = {2021-11-01}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns}, language = {English}, urldate = {2021-11-03} } Diving into double extortion campaigns
Cobalt Strike MimiKatz
2021-10-25CrowdStrikeFalcon OverWatch Team
@online{team:20211025:overwatch:8fd2f9f, author = {Falcon OverWatch Team}, title = {{OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack}}, date = {2021-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/}, language = {English}, urldate = {2021-11-03} } OverWatch Elite In Action: Prompt Call Escalation Proves Vital to Containing Attack
MimiKatz
2021-10-15Volatility LabsVolatility Labs
@online{labs:20211015:memory:53ea6d8, author = {Volatility Labs}, title = {{Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack}}, date = {2021-10-15}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html}, language = {English}, urldate = {2021-11-17} } Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack
MimiKatz
2021-10-11AccentureAccenture Cyber Threat Intelligence
@online{intelligence:20211011:moving:3b0eaec, author = {Accenture Cyber Threat Intelligence}, title = {{Moving Left of the Ransomware Boom}}, date = {2021-10-11}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom}, language = {English}, urldate = {2021-11-03} } Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil
2021-09-24Trend MicroWarren Sto.Tomas
@online{stotomas:20210924:examining:9165fe5, author = {Warren Sto.Tomas}, title = {{Examining the Cring Ransomware Techniques}}, date = {2021-09-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html}, language = {English}, urldate = {2021-09-29} } Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz
2021-09-14McAfeeChristiaan Beek
@online{beek:20210914:operation:95aed8d, author = {Christiaan Beek}, title = {{Operation ‘Harvest’: A Deep Dive into a Long-term Campaign}}, date = {2021-09-14}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/}, language = {English}, urldate = {2021-09-19} } Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-09SymantecThreat Hunter Team
@online{team:20210909:grayfly:60c5478, author = {Threat Hunter Team}, title = {{Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware}}, date = {2021-09-09}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware}, language = {English}, urldate = {2021-09-10} } Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
CROSSWALK MimiKatz SideWalk
2021-08-30QianxinRed Raindrop Team
@online{team:20210830:operation:7b5be26, author = {Red Raindrop Team}, title = {{Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss}}, date = {2021-08-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/}, language = {Chinese}, urldate = {2021-09-09} } Operation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss
Cobalt Strike MimiKatz
2021-08-23FBIFBI
@techreport{fbi:20210823:indicators:3308f26, author = {FBI}, title = {{Indicators of Compromise Associated with OnePercent Group Ransomware}}, date = {2021-08-23}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210823.pdf}, language = {English}, urldate = {2021-08-24} } Indicators of Compromise Associated with OnePercent Group Ransomware
Cobalt Strike MimiKatz
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10FireEyeIsrael Research Team, U.S. Threat Intel Team
@online{team:20210810:unc215:dbc483a, author = {Israel Research Team and U.S. Threat Intel Team}, title = {{UNC215: Spotlight on a Chinese Espionage Campaign in Israel}}, date = {2021-08-10}, organization = {FireEye}, url = {https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel}, language = {English}, urldate = {2021-12-06} } UNC215: Spotlight on a Chinese Espionage Campaign in Israel
HyperBro HyperSSL MimiKatz
2021-08-03CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20210803:deadringer:908e8d5, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos}}, date = {2021-08-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos}, language = {English}, urldate = {2021-08-06} } DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae
2021-07-20SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20210720:ongoing:1e6dbd0, author = {Counter Threat Unit ResearchTeam}, title = {{Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran}}, date = {2021-07-20}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran}, language = {English}, urldate = {2021-07-26} } Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor
2021-06-29AccentureAccenture Security
@online{security:20210629:hades:2d4c606, author = {Accenture Security}, title = {{HADES ransomware operators continue attacks}}, date = {2021-06-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/security/ransomware-hades}, language = {English}, urldate = {2021-07-01} } HADES ransomware operators continue attacks
Cobalt Strike Hades MimiKatz
2021-05-18SophosJohn Shier, Mat Gangwer, Greg Iddon, Peter Mackenzie
@online{shier:20210518:active:f313ac5, author = {John Shier and Mat Gangwer and Greg Iddon and Peter Mackenzie}, title = {{The Active Adversary Playbook 2021}}, date = {2021-05-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153}, language = {English}, urldate = {2021-05-25} } The Active Adversary Playbook 2021
Cobalt Strike MimiKatz
2021-05-13AWAKEKieran Evans
@online{evans:20210513:catching:eaa13e2, author = {Kieran Evans}, title = {{Catching the White Stork in Flight}}, date = {2021-05-13}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/catching-the-white-stork-in-flight/}, language = {English}, urldate = {2021-09-19} } Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-04-27Trend MicroJanus Agcaoili, Earle Earnshaw
@online{agcaoili:20210427:legitimate:b293526, author = {Janus Agcaoili and Earle Earnshaw}, title = {{Legitimate Tools Weaponized for Ransomware in 2021}}, date = {2021-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021}, language = {English}, urldate = {2021-05-03} } Legitimate Tools Weaponized for Ransomware in 2021
Cobalt Strike MimiKatz
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-19Bundesamt für Sicherheit in der InformationstechnikCERT-Bund
@techreport{certbund:20210319:microsoft:beb2409, author = {CERT-Bund}, title = {{Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)}}, date = {2021-03-19}, institution = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf}, language = {English}, urldate = {2021-03-22} } Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz
2021-03-11DEVOFran Gomez
@online{gomez:20210311:detection:e16ec1f, author = {Fran Gomez}, title = {{Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service}}, date = {2021-03-11}, organization = {DEVO}, url = {https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/}, language = {English}, urldate = {2021-03-12} } Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz
2021-03-10ESET ResearchThomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f, author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare}, title = {{Exchange servers under siege from at least 10 APT groups}}, date = {2021-03-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/}, language = {English}, urldate = {2021-03-11} } Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti
2021-03-08SymantecThreat Hunter Team
@online{team:20210308:how:752e42e, author = {Threat Hunter Team}, title = {{How Symantec Stops Microsoft Exchange Server Attacks}}, date = {2021-03-08}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection}, language = {English}, urldate = {2021-03-12} } How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-01-29Trend MicroTrend Micro
@online{micro:20210129:chopper:6dfb7c6, author = {Trend Micro}, title = {{Chopper ASPX web shell used in targeted attack}}, date = {2021-01-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html}, language = {English}, urldate = {2021-02-02} } Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz
2021-01-26Twitter (@swisscom_csirt)Swisscom CSIRT
@online{csirt:20210126:cring:f12c487, author = {Swisscom CSIRT}, title = {{Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware}}, date = {2021-01-26}, organization = {Twitter (@swisscom_csirt)}, url = {https://twitter.com/swisscom_csirt/status/1354052879158571008}, language = {English}, urldate = {2021-01-27} } Tweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping Cring rasomware
Cobalt Strike Cring MimiKatz
2021-01-18Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@techreport{verfassungsschutz:20210118:bfv:8f2fc64, author = {Bundesamt für Verfassungsschutz}, title = {{BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31}}, date = {2021-01-18}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf}, language = {German}, urldate = {2021-01-29} } BfV Cyber-Brief Nr. 01/2021 : Vorgehensweise von APT31
MimiKatz
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021SecureworksSecureWorks
@online{secureworks:2021:threat:d17547d, author = {SecureWorks}, title = {{Threat Profile: GOLD BURLAP}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-burlap}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2020-12-21SlideShare (yurikamuraki5)Yurika Kakiuchi
@online{kakiuchi:20201221:active:6c42aad, author = {Yurika Kakiuchi}, title = {{Active Directory 侵害と推奨対策}}, date = {2020-12-21}, organization = {SlideShare (yurikamuraki5)}, url = {https://www.slideshare.net/yurikamuraki5/active-directory-240348605}, language = {Japanese}, urldate = {2021-02-06} } Active Directory 侵害と推奨対策
MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-11-30YoroiLuigi Martire, Antonio Pirozzi, Luca Mella
@online{martire:20201130:shadows:2ef4813, author = {Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Shadows From The Past Threaten Italian Enterprises}}, date = {2020-11-30}, organization = {Yoroi}, url = {https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/}, language = {English}, urldate = {2021-06-16} } Shadows From The Past Threaten Italian Enterprises
Rekoobe LaZagne Responder MimiKatz win.rekoobe
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27PTSecurityDenis Goydenko, Alexey Vishnyakov
@online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-10-23F-Secure LabsGuillaume Couchard, Qimin Wang, Thiam Loong Siew
@online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two
MimiKatz
2020-10-20F-SecureF-Secure Consulting
@techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } Incident Readiness: Preparing a proactive response to attacks
MimiKatz
2020-10-01US-CERTUS-CERT
@online{uscert:20201001:alert:a46c3d4, author = {US-CERT}, title = {{Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions}}, date = {2020-10-01}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-275a}, language = {English}, urldate = {2020-10-04} } Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy
2020-09-17FBIFBI
@techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks
MimiKatz Nanocore RAT
2020-08-31The DFIR ReportThe DFIR Report
@online{report:20200831:netwalker:29a1511, author = {The DFIR Report}, title = {{NetWalker Ransomware in 1 Hour}}, date = {2020-08-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/}, language = {English}, urldate = {2020-08-31} } NetWalker Ransomware in 1 Hour
Cobalt Strike Mailto MimiKatz
2020-08-10ZDNetCatalin Cimpanu
@online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } FBI says an Iranian hacking group is attacking F5 networking devices
MimiKatz
2020-08-06WiredAndy Greenberg
@online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-08-04BlackHatChung-Kuan Chen, Inndy Lin, Shang-De Jiang
@techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } Operation Chimera - APT Operation Targets Semiconductor Vendors
Cobalt Strike MimiKatz Winnti Operation Skeleton Key
2020-06-24Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE VINEWOOD Targets Supply Chains}}, date = {2020-06-24}, url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains}, language = {English}, urldate = {2020-06-26} } BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31
2020-06-18Bundesamt für VerfassungsschutzBundesamt für Verfassungsschutz
@techreport{verfassungsschutz:20200618:bfv:52dfe79, author = {Bundesamt für Verfassungsschutz}, title = {{BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne}}, date = {2020-06-18}, institution = {Bundesamt für Verfassungsschutz}, url = {https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf}, language = {German}, urldate = {2020-06-18} } BfV Cyber-BriefNr. 01/2020 - Hinweis auf aktuelle Angriffskampagne
Ketrican MimiKatz
2020-05-28Kaspersky LabsVyacheslav Kopeytsev
@techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } Steganography in targeted attacks on industrial enterprises
MimiKatz
2020-05-27FBIFBI
@techreport{fbi:20200527:alert:6d31e17, author = {FBI}, title = {{Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity}}, date = {2020-05-27}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210527.pdf}, language = {English}, urldate = {2021-06-04} } Alert Number MI-000148-MW: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity
MimiKatz
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020-05-21ESET ResearchMathieu Tartare, Martin Smolár
@online{tartare:20200521:no:016fc6c, author = {Mathieu Tartare and Martin Smolár}, title = {{No “Game over” for the Winnti Group}}, date = {2020-05-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/}, language = {English}, urldate = {2020-05-23} } No “Game over” for the Winnti Group
ACEHASH HTran MimiKatz
2020-05-14Lab52Dex
@online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-04-16Medium CyCraftCyCraft Technology Corp
@online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures
Cobalt Strike MimiKatz Operation Skeleton Key
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-02-21ADEO DFIRADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18Cisco TalosVanja Svajcer
@online{svajcer:20200218:building:0a80664, author = {Vanja Svajcer}, title = {{Building a bypass with MSBuild}}, date = {2020-02-18}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html}, language = {English}, urldate = {2020-02-20} } Building a bypass with MSBuild
Cobalt Strike GRUNT MimiKatz
2020-02-02uf0 BlogMatteo Malvica
@online{malvica:20200202:uncovering:ec2d3da, author = {Matteo Malvica}, title = {{Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD}}, date = {2020-02-02}, organization = {uf0 Blog}, url = {https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/}, language = {English}, urldate = {2020-02-03} } Uncovering Mimikatz ‘msv’ and collecting credentials through PyKD
MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:gold:1892bc8, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4118462, author = {SecureWorks}, title = {{BRONZE ATLAS}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas}, language = {English}, urldate = {2020-05-23} } BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:gold:983570b, author = {SecureWorks}, title = {{GOLD KINGSWOOD}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-kingswood}, language = {English}, urldate = {2020-05-23} } GOLD KINGSWOOD
More_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt
2020SecureworksSecureWorks
@online{secureworks:2020:tin:ccd6795, author = {SecureWorks}, title = {{TIN WOODLAWN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tin-woodlawn}, language = {English}, urldate = {2020-05-23} } TIN WOODLAWN
Cobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66a45ac, author = {SecureWorks}, title = {{BRONZE VINEWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood}, language = {English}, urldate = {2020-05-23} } BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-06-25CybereasonCybereason Nocturnus
@online{nocturnus:20190625:operation:21efa8f, author = {Cybereason Nocturnus}, title = {{OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS}}, date = {2019-06-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers}, language = {English}, urldate = {2019-12-17} } OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
MimiKatz Poison Ivy Operation Soft Cell
2019-05-10XPN BlogAdam Chester
@online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } Exploring Mimikatz - Part 1 - WDigest
MimiKatz
2019-04-04CrowdStrikeHarlan Carvey
@online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
MimiKatz
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-01-04Github (gentilkiwi)Benjamin Delpy
@online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } mimikatz Repository
MimiKatz
2018-07-25SymantecCritical Attack Discovery and Intelligence Team, Network Protection Security Labs
@online{team:20180725:leafminer:0591f9b, author = {Critical Attack Discovery and Intelligence Team and Network Protection Security Labs}, title = {{Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions}}, date = {2018-07-25}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east}, language = {English}, urldate = {2020-04-21} } Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Imecab MimiKatz Sorgu RASPITE
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180215:samsam:bd6d65d, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam Ransomware Campaigns}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/samsam-ransomware-campaigns}, language = {English}, urldate = {2021-05-28} } SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER
2017-12-04RSAJack Wesley Riley
@techreport{riley:20171204:shadows:ae9e436, author = {Jack Wesley Riley}, title = {{The Shadows of Ghosts Inside the response of a unique Carbanak intrusion}}, date = {2017-12-04}, institution = {RSA}, url = {https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf}, language = {English}, urldate = {2021-09-02} } The Shadows of Ghosts Inside the response of a unique Carbanak intrusion
GOTROJ MimiKatz
2017-11-09WiredAndy Greenberg
@online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } He Perfected a Password-Hacking Tool—Then the Russians Came Calling
MimiKatz
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:36b35db, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2019-12-05} } Odinaff: New Trojan used in high level financial attacks
Cobalt Strike KLRD MimiKatz Odinaff
2016-03-30SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20160330:ransomware:d1b6fe3, author = {Counter Threat Unit ResearchTeam}, title = {{Ransomware Deployed by Adversary with Established Foothold}}, date = {2016-03-30}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransomware-deployed-by-adversary}, language = {English}, urldate = {2021-05-28} } Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER
2011-04-28Gentil Kiwi
@online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } Un observateur d’événements aveugle…
MimiKatz
Yara Rules
[TLP:WHITE] win_mimikatz_auto (20211008 | Detects win.mimikatz.)
rule win_mimikatz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.mimikatz."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f8ff 750e ff15???????? c7002a000000 }
            // n = 4, score = 300
            //   83f8ff               | cmp                 eax, -1
            //   750e                 | jne                 0x10
            //   ff15????????         |                     
            //   c7002a000000         | mov                 dword ptr [eax], 0x2a

        $sequence_1 = { f7f1 85d2 7406 2bca }
            // n = 4, score = 300
            //   f7f1                 | div                 ecx
            //   85d2                 | test                edx, edx
            //   7406                 | je                  8
            //   2bca                 | sub                 ecx, edx

        $sequence_2 = { c3 81f998000000 7410 81f996000000 7408 }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   81f998000000         | cmp                 ecx, 0x98
            //   7410                 | je                  0x12
            //   81f996000000         | cmp                 ecx, 0x96
            //   7408                 | je                  0xa

        $sequence_3 = { e8???????? 837c246000 0f849c000000 85f6 7541 8b05???????? 3d401f0000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   837c246000           | cmp                 dword ptr [esp + 0x60], 0
            //   0f849c000000         | je                  0xa2
            //   85f6                 | test                esi, esi
            //   7541                 | jne                 0x43
            //   8b05????????         |                     
            //   3d401f0000           | cmp                 eax, 0x1f40

        $sequence_4 = { e8???????? eb2d 81fa0e030980 750e }
            // n = 4, score = 200
            //   e8????????           |                     
            //   eb2d                 | jmp                 0x2f
            //   81fa0e030980         | cmp                 edx, 0x8009030e
            //   750e                 | jne                 0x10

        $sequence_5 = { 83f812 72f1 33c0 c3 }
            // n = 4, score = 200
            //   83f812               | cmp                 eax, 0x12
            //   72f1                 | jb                  0xfffffff3
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 

        $sequence_6 = { 2bc1 85c9 7403 83c008 }
            // n = 4, score = 200
            //   2bc1                 | sub                 eax, ecx
            //   85c9                 | test                ecx, ecx
            //   7403                 | je                  5
            //   83c008               | add                 eax, 8

        $sequence_7 = { eb16 83780802 7510 0fb75010 }
            // n = 4, score = 200
            //   eb16                 | jmp                 0x18
            //   83780802             | cmp                 dword ptr [eax + 8], 2
            //   7510                 | jne                 0x12
            //   0fb75010             | movzx               edx, word ptr [eax + 0x10]

        $sequence_8 = { 6683f83f 7607 32c0 e9???????? }
            // n = 4, score = 200
            //   6683f83f             | cmp                 ax, 0x3f
            //   7607                 | jbe                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_9 = { 66894108 33c0 39410c 740b }
            // n = 4, score = 200
            //   66894108             | mov                 word ptr [ecx + 8], ax
            //   33c0                 | xor                 eax, eax
            //   39410c               | cmp                 dword ptr [ecx + 0xc], eax
            //   740b                 | je                  0xd

        $sequence_10 = { e8???????? 8bf8 89442458 89442454 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   89442458             | mov                 dword ptr [esp + 0x58], eax
            //   89442454             | mov                 dword ptr [esp + 0x54], eax

        $sequence_11 = { ff15???????? 85c0 0f84ce000000 8d4510 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84ce000000         | je                  0xd4
            //   8d4510               | lea                 eax, dword ptr [ebp + 0x10]

        $sequence_12 = { e8???????? 85db 0f8408010000 03ed }
            // n = 4, score = 200
            //   e8????????           |                     
            //   85db                 | test                ebx, ebx
            //   0f8408010000         | je                  0x10e
            //   03ed                 | add                 ebp, ebp

        $sequence_13 = { 3c02 7207 e8???????? eb10 }
            // n = 4, score = 200
            //   3c02                 | cmp                 al, 2
            //   7207                 | jb                  9
            //   e8????????           |                     
            //   eb10                 | jmp                 0x12

        $sequence_14 = { e8???????? 83c40c 03f3 8bc7 8b550c }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   03f3                 | add                 esi, ebx
            //   8bc7                 | mov                 eax, edi
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_15 = { c1f805 c1e606 033485c0e84600 8b45f8 8b00 8906 8b45fc }
            // n = 7, score = 100
            //   c1f805               | sar                 eax, 5
            //   c1e606               | shl                 esi, 6
            //   033485c0e84600       | add                 esi, dword ptr [eax*4 + 0x46e8c0]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_16 = { 80e20f c0e104 32d1 4b 885509 88450a 85db }
            // n = 7, score = 100
            //   80e20f               | and                 dl, 0xf
            //   c0e104               | shl                 cl, 4
            //   32d1                 | xor                 dl, cl
            //   4b                   | dec                 ebx
            //   885509               | mov                 byte ptr [ebp + 9], dl
            //   88450a               | mov                 byte ptr [ebp + 0xa], al
            //   85db                 | test                ebx, ebx

        $sequence_17 = { 2bfe 90 41 81e1ff000000 8a91b0e74600 }
            // n = 5, score = 100
            //   2bfe                 | sub                 edi, esi
            //   90                   | nop                 
            //   41                   | inc                 ecx
            //   81e1ff000000         | and                 ecx, 0xff
            //   8a91b0e74600         | mov                 dl, byte ptr [ecx + 0x46e7b0]

        $sequence_18 = { 85db 0f84b9000000 83fb04 7d17 b904000000 2bcb }
            // n = 6, score = 100
            //   85db                 | test                ebx, ebx
            //   0f84b9000000         | je                  0xbf
            //   83fb04               | cmp                 ebx, 4
            //   7d17                 | jge                 0x19
            //   b904000000           | mov                 ecx, 4
            //   2bcb                 | sub                 ecx, ebx

        $sequence_19 = { 33c0 8b4d08 3b0cc5087a4000 740a }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b0cc5087a4000       | cmp                 ecx, dword ptr [eax*8 + 0x407a08]
            //   740a                 | je                  0xc

        $sequence_20 = { 8d34f530d94600 391e 7404 8bc7 eb6d 6a18 e8???????? }
            // n = 7, score = 100
            //   8d34f530d94600       | lea                 esi, dword ptr [esi*8 + 0x46d930]
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   7404                 | je                  6
            //   8bc7                 | mov                 eax, edi
            //   eb6d                 | jmp                 0x6f
            //   6a18                 | push                0x18
            //   e8????????           |                     

        $sequence_21 = { 83c404 85c0 7510 8a45ff 3c2b }
            // n = 5, score = 100
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   3c2b                 | cmp                 al, 0x2b

    condition:
        7 of them and filesize < 1642496
}
[TLP:WHITE] win_mimikatz_w0   (20171230 | mimikatz)
/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
rule win_mimikatz_w0 {
	meta:
		description		= "mimikatz"
		author			= "Benjamin DELPY (gentilkiwi)"
		tool_author		= "Benjamin DELPY (gentilkiwi)"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz"
        malpedia_version = "20171230"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$exe_x86_1		= { 89 71 04 89 [0-3] 30 8d 04 bd }
		$exe_x86_2		= { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
		
		$exe_x64_1		= { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
		$exe_x64_2		= { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }

		$dll_1			= { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
		$dll_2			= { c7 0? 10 02 00 00 ?? 89 4? }
		
		$sys_x86		= { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
		$sys_x64		= { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }

	condition:
		(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}
Download all Yara Rules