Query Details
Mimi Katz Detection
Query
//Detects Mimikatz has been found and shows compromise host. Requires Microsoft Defender for Endpoint connection. SecurityAlert | where Tactics == "CredentialAccess" | where Entities contains "mimikatz" | where DisplayName == "Possible attempt to steal credentials" or AlertName == "Malicious credential theft tool execution detected" | where Status == "New" | distinct CompromisedEntity, TimeGenerated
Explanation
This query is used to detect if the tool called Mimikatz has been found on a compromised host. It requires a connection to Microsoft Defender for Endpoint. The query filters for security alerts related to credential access and checks if the alert contains the word "mimikatz" in the entities field. It also checks for specific display names or alert names related to credential theft. The query only includes alerts that are marked as "New" and returns the compromised host and the time the alert was generated.
Details
Rod Trent
Released: November 5, 2021
Tables
SecurityAlert
Keywords
SecurityAlert,Tactics,Entities,DisplayName,AlertName,Status,CompromisedEntity,TimeGenerated
Operators
where|==containsordistinct