Query Details
Endpoint Tracking Mimikatz Command Line
Query
name : Tracking the activities of Mimikatz command-line by devices
description :
- This query displays all unique Mimikatz command-line activities for each device
table :
- DeviceProcessEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
query: |
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe","powershell_ise.exe", "mimikatz.exe")
| where ProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump") or InitiatingProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump")
| summarize make_set(ProcessCommandLine) by DeviceId, DeviceName
Explanation
This query tracks the activities of the Mimikatz command-line on devices. It displays all unique Mimikatz command-line activities for each device. The query filters the DeviceProcessEvents table for events in the past 30 days where the FileName is either "powershell.exe", "powershell_ise.exe", or "mimikatz.exe". It also filters for events where the ProcessCommandLine or InitiatingProcessCommandLine contains any of the specified keywords. The query then summarizes the unique ProcessCommandLines for each DeviceId and DeviceName.
Details
Kijo Girardi
Released: May 29, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Mimikatz,Command-line,Activities
Operators
toscalar()arg_max()count()mv-expandwherein~has_any()summarizemake_set()