Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 64-bit Windows platform, family Mimikatz
This is a concrete detection of HackTool:Win64/Mimikatz!rfn, a powerful post-exploitation tool designed to extract credentials (passwords, hashes, Kerberos tickets) from memory. Its presence indicates a significant security breach or an active attempt to compromise user and system credentials, targeting sensitive data from browsers, email clients, and other applications.
Relevant strings associated with this threat: - Mgithub.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 (PEHSTR) - tinyurl.com/mnq854e (PEHSTR) - fXRb.T (SNID) - AppData\Roaming\FileZilla.dat (PEHSTR_EXT) - AppData\Local\Microsoft\Credential (PEHSTR_EXT) - Application Data\Thunderbird\Profiles (PEHSTR_EXT) - AppData\Roaming\Thunderbird\Profiles (PEHSTR_EXT) - AppData\Roaming\Mozilla\Firefox\Profiles (PEHSTR_EXT) - Application Data\Mozilla\Firefox\Profiles (PEHSTR_EXT) - Outlook\Profiles\Outlook (PEHSTR_EXT) - SOFTWARE\RealVNC\WinVNC4 (PEHSTR_EXT) - SOFTWARE\TightVNC\Server (PEHSTR_EXT) - uvnc bvba\UltraVNC\UltraVNC.ini (PEHSTR_EXT) - AppData\Roaming\Opera Software\Opera Stable\Login Data (PEHSTR_EXT) - Software\Microsoft\Internet Explorer\IntelliForms\Storage2 (PEHSTR_EXT) - Local Settings\Application Data\Google\Chrome\User Data\Default\ (PEHSTR_EXT) - Appdata\Local\Google\Chrome\User Data\Default\ (PEHSTR_EXT) - Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ (PEHSTR_EXT) - AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (PEHSTR_EXT) - mimikatz (PEHSTR_EXT) - mimikatz (PEHSTR) - powershell_reflective_mimikatz (PEHSTR) - powerkatz.dll (PEHSTR) - blog.gentilkiwi.com/mimikatz (PEHSTR) - powershell_reflective_mimikatz (PEHSTR_EXT) - .writeprocessmemory.invoke (PEHSTR_EXT) - /user: (PEHSTR_EXT) - /domain: (PEHSTR_EXT) - /ntlm: (PEHSTR_EXT) - log mimikatz input/output to file (PEHSTR_EXT) - /mimikatz (PEHSTR_EXT) - \\.\pipe\kekeo_tsssp_endpoint (PEHSTR_EXT) - software\policies\microsoft\windows\credentialsdelegation (PEHSTR_EXT) - system\currentcontrolset\control\lsa\credssp\policydefaults (PEHSTR_EXT) - mimikatz.exe (PEHSTR_EXT) - Executing Mimikatz (PEHSTR_EXT) - sekurlsa::tickets /export (PEHSTR_EXT) - /user (PEHSTR_EXT) - /domain (PEHSTR_EXT) - @.kirbi (PEHSTR_EXT) - mimikatz (PEHSTR_EXT) - powerkatz.dll (PEHSTR_EXT) - blog.gentilkiwi.com/mimikatz (PEHSTR_EXT) - LoadMimiByCommand (PEHSTR_EXT) - MimikatzDelegate (PEHSTR_EXT) - start gg.lnk (PEHSTR_EXT) - start procdump.exe -accepteula -ma lsass.exe lsass.dmp (PEHSTR_EXT) - expand mim mimi.exe (PEHSTR_EXT) - mimi.exestop (PEHSTR_EXT) - shaykhelislamov/Documents/Codetest/testproject/main/exec.go (PEHSTR_EXT) - cmd /c C:\Users\Public\Documents\ (PEHSTR_EXT) - cmd.exe /c taskkill /f /t /im (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (PEHSTR_EXT) - ://department.microsoftmiddlename.tk/ (PEHSTR_EXT) - 87.251.log (PEHSTR_EXT) - urlmon.dll (PEHSTR_EXT) - //department.microsoftmiddlename.tk/picturess/ (PEHSTR_EXT) - RDSv1.dll (PEHSTR_EXT) - C:/Users/Public/Documents/RDSv1.dll (PEHSTR_EXT) - ice_types.secrets.mimikatz.MimikatzResult (PEHSTR_EXT) - mimidrv.sys (PEHSTR_EXT) - get_MimikatzPE (PEHSTR) - set_MimikatzPE (PEHSTR) - cmd.exe /V:on /C reg delete HKLM\Software\CommandTmp /f (PEHSTR_EXT) - Please input ip. eg, /ip:xx.XXX.xx.x or /ip:xxx.com (PEHSTR_EXT) - spread.Cryptohijack (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
9779b73c7453799dd09006fcf45411135ab6e87e53a33399e59353253a39b1f9Immediately isolate the affected system to prevent further compromise or lateral movement. Perform a full system scan with updated security software to remove the threat. All user and service account credentials on the affected system must be considered compromised and reset. Conduct a thorough forensic investigation to identify the initial compromise vector, scope of impact, and any persistence mechanisms.