Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part II (Event ID 10)
Tags
| attack-pattern: | Data Model Credentials - T1589.001 Impersonation - T1656 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 15fb7bd2-5730-40cb-a669-7116c85d0b72 |
| Fingerprint | 4e95844b0df7081d |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | March 22, 2017, 1:11 p.m. |
| Added to db | Jan. 18, 2023, 9:28 p.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Cyber Wardog Lab |
| Title | Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK - Part II (Event ID 10) |
| Detected Hints/Tags/Attributes | 46/1/12 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | process.you |
|
| Details | Domain | 1 | creator.to |
|
| Details | File | 478 | lsass.exe |
|
| Details | File | 2125 | cmd.exe |
|
| Details | File | 25 | sysmon.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1 | grantedaccess.key |
|
| Details | File | 76 | mimikatz.exe |
|
| Details | File | 27 | invoke-mimikatz.ps1 |
|
| Details | File | 62 | whoami.exe |
|
| Details | Github username | 18 | empireproject |
|
| Details | Url | 1 | https://raw.githubusercontent.com/empireproject/empire/master/module_source/credentials/invoke-mimikatz.ps1 |