[Rule Tuning] Mimikatz powershell module activity detected (#1297)

austinsonger · github-actions[bot] · commit 34b37c0bfd0f · 2021-07-21T07:08:31.000Z
* update query * add indexes (cherry picked from commit 95e6458)
diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "development"
-updated_date = "2021/05/10"
+updated_date = "2021/06/17"
 
 [rule]
 author = ["Elastic"]
@@ -11,10 +11,10 @@ other features that make it useful for testing the security of networks. This ru
 PowerShell command.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Mimikatz Powershell Module Activity Detected"
+name = "Mimikatz Powershell Module Activity"
 note = """## Triage and analysis
 
 This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint."""
@@ -27,11 +27,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where event.type in ("start", "process_started") and process.name in ("cmd.exe", "powershell.exe")
+process where event.type in ("start", "process_started") and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe")
 and process.args : ("*DumpCreds", "*Mimikatz*")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -44,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-
