AhnLab EPP

Subscribe
Download 352
Last updated Dec 2, 2025

Mimikatz Detected

Detects the Import of Mimikatz Files in AhnLab EPP V3 Malware Alert Logs

Query

The AhnLab V3 antivirus engine detects Mimikatz using signatures such as Trojan/RL.Mimikatz.R248084, Trojan/Win.Mimikatz.R437781, Trojan/Win32.RL_Mimikatz.R290617, Trojan/Win32.RL_Mimikatz.R366782, Trojan/Win64.Mimikatz.R372136, etc. Therefore, alerts containing mimikatz. in the lowercase signature field are extracted.

| search lower(signature) == "*mimikatz.*"

Message

  • Mimikatz Detected: Host $host_ip

Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • Mimikatz is a well-known credential theft tool used to extract authentication data from Windows systems.
  • Attackers may introduce the Mimikatz binary or its variants onto internal endpoints through malware infection, remote code execution, or compromised accounts to harvest credentials.
  • When Mimikatz is detected, it strongly indicates that the endpoint may have been compromised or is actively under attack, and credential theft could lead to privilege escalation and deeper lateral movement.

False Positive

  • This may occur when the security or IT team imports Mimikatz intentionally for incident response testing, penetration testing, or training.
  • However, Mimikatz is rarely used legitimately in general user environments, so the false-positive likelihood is very low.

Response Actions

  • Check whether the Mimikatz file was executed, and review its file path and creation/modification timestamps.
  • Immediately isolate the endpoint, perform a full malware scan, and conduct forensic analysis.
  • Investigate for abnormal authentication attempts, remote connections, or suspicious process activity from the same user account or device.
  • Due to potential credential exposure, reset passwords and invalidate session tokens for the user and any related administrator accounts.

MITRE ATT&CK