Mimikatz
This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): OilRig; Magic Hound; MuddyWater; APT39; Lyceum; Agrius; Void Manticore / Handala
- Tool type(s): Credential access tool
- Confidence level(s): Medium
- Source ID(s):
SRC-MITRE-G0049,SRC-MITRE-G0059,SRC-MITRE-G0069,SRC-MITRE-G0087,SRC-MITRE-G1001,SRC-MITRE-G1030,SRC-MITRE-G1055
Behavior
| Actor | Behavior Summary |
|---|---|
| APT39 | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| Agrius | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| Lyceum | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| Magic Hound | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| MuddyWater | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| OilRig | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
| Void Manticore / Handala | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. |
Hash And IOC Status
| Actor | Status | Reference |
|---|---|---|
| APT39 | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0087 |
| Agrius | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G1030 |
| Lyceum | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G1001 |
| Magic Hound | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0059 |
| MuddyWater | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0069 |
| OilRig | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G0049 |
| Void Manticore / Handala | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | SRC-MITRE-G1055 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|---|
| APT39 | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| Agrius | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| Lyceum | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| Magic Hound | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| MuddyWater | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| OilRig | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
| Void Manticore / Handala | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. |
Handling Notes
| Actor | Handling Notes |
|---|---|
| APT39 | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| Agrius | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| Lyceum | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| Magic Hound | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| MuddyWater | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| OilRig | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
| Void Manticore / Handala | Common or dual-use tools require local allowlisting and must not be used alone for actor attribution. |
Crosslinks
- OilRig: profile, workbench, tool matrix
- Magic Hound: profile, workbench, tool matrix
- MuddyWater: profile, workbench, tool matrix
- APT39: profile, workbench, tool matrix
- Lyceum: profile, workbench, tool matrix
- Agrius: profile, workbench, tool matrix
- Void Manticore / Handala: profile, workbench, tool matrix
- Detection status: Detection Status Dashboard
- Hunt workflow: Hunt Workflow
Mapped ATT&CK Techniques For Associated Actor(s)
| Actor | Technique | Tactic | Mapping Quality | Source |
|---|---|---|---|---|
| OilRig | T1505.003 Web Shell | Persistence | M3 | SRC-MITRE-G0049 |
| OilRig | T1049 System Network Connections Discovery | Discovery | M1 | SRC-MITRE-G0049 |
| Magic Hound | T1566.002 Spearphishing Link | Initial Access | M2 | SRC-MITRE-G0059 |
| Magic Hound | T1583.001 Acquire Domains | Resource Development | M1 | SRC-MITRE-G0059 |
| MuddyWater | T1566 Phishing | Initial Access | M2 | SRC-MITRE-G0069 |
| MuddyWater | T1059.001 PowerShell | Execution | M2 | SRC-MITRE-G0069 |
| MuddyWater | T1219 Remote Access Software | Command and Control | M3 | SRC-MITRE-G0069 |
| MuddyWater | T1567.002 Exfiltration to Cloud Storage | Exfiltration | M2 | SRC-THREAT-HUNTER-V3 |
| APT39 | T1566.001 Spearphishing Attachment | Initial Access | M2 | SRC-MITRE-G0087 |
| APT39 | T1003.001 LSASS Memory | Credential Access | M2 | SRC-MITRE-G0087 |
| Lyceum | T1071.004 DNS | Command and Control | M2 | SRC-MITRE-G1001 |
| Lyceum | T1003.001 LSASS Memory | Credential Access | M2 | SRC-MITRE-G1001 |
| Agrius | T1485 Data Destruction | Impact | M2 | SRC-MITRE-G1030 |
| Agrius | T1486 Data Encrypted for Impact | Impact | M2 | SRC-MITRE-G1030 |
| Void Manticore / Handala | T1566 Phishing | Initial Access | M2 | SRC-AP-HANDALA |
| Void Manticore / Handala | T1204 User Execution | Execution | M2 | SRC-AP-HANDALA |
| Void Manticore / Handala | T1485 Data Destruction | Impact | M2 | SRC-AP-HANDALA |
| Void Manticore / Handala | T1490 Inhibit System Recovery | Impact | M2 | SRC-AP-HANDALA |
| Void Manticore / Handala | T1567 Exfiltration Over Web Service | Exfiltration | M2 | SRC-AP-HANDALA |
| Void Manticore / Handala | T1078.004 Valid Accounts: Cloud Accounts | Initial Access | M3 | SRC-PUSH-STRYKER-HANDALA |
| Void Manticore / Handala | T1485 Data Destruction | Impact | M2 | SRC-PUSH-STRYKER-HANDALA |
Related Actor-Level Repository Detections
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
| Actor | Detection | Release Status | DRL | Rule |
|---|---|---|---|---|
| Magic Hound | DET-004 - Mail Click To Execution Correlation | Hunt | 4 | detections/kql/mail-click-to-exec-correlation.kql |
| MuddyWater | DET-002 - Suspicious RMM Installer Download From User Context | Pilot | 6 | detections/sigma/suspicious-rmm-file-sharing-download.yml |
| MuddyWater | DET-004 - Mail Click To Execution Correlation | Hunt | 4 | detections/kql/mail-click-to-exec-correlation.kql |
| Agrius | DET-001 - Intune Bulk Device Wipe Anomaly | Hunt | 5 | detections/kql/intune-bulk-device-wipe-anomaly.kql |
| Void Manticore / Handala | DET-001 - Intune Bulk Device Wipe Anomaly | Hunt | 5 | detections/kql/intune-bulk-device-wipe-anomaly.kql |
| Void Manticore / Handala | DET-004 - Mail Click To Execution Correlation | Hunt | 4 | detections/kql/mail-click-to-exec-correlation.kql |
Related Actor-Level Hunts
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
| Actor | Hunt | Hypothesis | Query |
|---|---|---|---|
| Magic Hound | HUNT-004 | If VIP phishing is active then mail click events will correlate to risky sign-in or execution | detections/kql/mail-click-to-exec-correlation.kql |
| MuddyWater | HUNT-002 | If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths | detections/kql/suspicious-rmm-file-sharing-download.kql |
| MuddyWater | HUNT-004 | If VIP phishing is active then mail click events will correlate to risky sign-in or execution | detections/kql/mail-click-to-exec-correlation.kql |
| Agrius | HUNT-001 | If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs | detections/kql/intune-bulk-device-wipe-anomaly.kql |
| Void Manticore / Handala | HUNT-001 | If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs | detections/kql/intune-bulk-device-wipe-anomaly.kql |
| Void Manticore / Handala | HUNT-004 | If VIP phishing is active then mail click events will correlate to risky sign-in or execution | detections/kql/mail-click-to-exec-correlation.kql |
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|---|---|---|---|---|
SRC-MITRE-G0049 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G0059 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G0069 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G0087 | MITRE ATT&CK | 2026-05-14 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G1001 | MITRE ATT&CK | 2026-05-14 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G1030 | MITRE ATT&CK | 2026-05-13 | A | Knowledge base | 2026-05-14 |
SRC-MITRE-G1055 | MITRE ATT&CK | 2026-05-12 | A | Knowledge base | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.