Enrich IOC using SOAR with OpenCTI, VirusTotal and Shuffler
MALICIOUS FILE DETECTED
Splunk SOAR Playbook: Malicious File Detected
Automate triage, enrichment, containment, notification and recovery steps when a malicious file alert is received from an EDR.
Environment
Splunk All in one instance
Windows (Splunk UF)
Shuffler SOAR (Cloud or On premise)
OpenCTI (Cloud or On premise)
VirusTotal API
Slack
Playbook Trigger
Trigger:
Container created with label "Windows Mimikatz Binary Execution - Rule"
Source (Splunk Detection)
Input Fields:
Receive all fields in raw log trigger alert
Add annotation with rule detect mimikatz
# Example
"analytic_story": ("CISA AA22-320A,CISA AA23-347A,Compromised Windows Host,Credential Dumping,Flax Typhoon,Sandworm Tools,Volt Typhoon")
"cis20": ("CIS 10")
"kill_chain_phases": ("Exploitation")
"mitre_attack": ("T1003")
"nist": ("DE.CM")
"tactics": ("Credential Access")Collect into index
soc_risk
Artifact:
{
"search_name": "EBD - Windows Mimikatz Binary Execution - Rule",
"dest": "WinSrv22.luongdv.test",
"firstTime": "2025-07-23T10:30:38",
"risk_object": "WinSrv22.luongdv.test",
"risk_object_type": "system",
"threat_object": "powershell.exe",
"threat_object_type": "parent_process_name",
"process_name": "mimikatz.exe",
"process_hash": "SHA1=D1F7832035C3E8A73CC78AFD28CFD7F4CECE6D20,MD5=E930B05EFE23891D19BC354A4209BE3E,SHA256=92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50,IMPHASH=1355327F6CA3430B3DDBE6E0ACDA71EA",
"severity": "informational",
"link_alert": "https://192.168.35.150:8000/en-US/app/search/search?sid=scheduler__admin_dGhkX2ZpbmRpbmdfYmFzZWRfZGV0ZWN0aW9u__RMD5274c121f254c8a17_at_1753241460_248",
}Playbook Workflow
Enrichment Phare
Block1: Hash Reputation check with OpenCTI
Action: file reputation
App: OpenCTI
Input:
process_hashOutput: Indicator ID, Name, Observables, killChainPhases, OpenCTI Score, Tags, v.v.
# Variables
{
"search": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
}Result raw log
{
"data": {
"indicators": {
"edges": [
{
"node": {
"id": "e4778c3e-6cd2-4a97-931d-882d7d5c0126",
"standard_id": "indicator--4922d1d4-3df6-5cc4-bcb7-c7ed420ab841",
"is_inferred": false,
"revoked": false,
"confidence": 100,
"lang": "en",
"created": "2024-10-21T20:43:52.000Z",
"modified": "2024-10-22T14:48:27.596Z",
"pattern_type": "stix",
"pattern_version": "2.1",
"pattern": "[file:hashes.'SHA-256' = '92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50']",
"name": "92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50",
"description": null,
"valid_from": "2024-10-22T14:45:36.320Z",
"valid_until": "2025-07-24T12:05:08.155Z",
"x_opencti_score": 50,
"x_opencti_detection": false,
"x_opencti_main_observable_type": "Unknown",
"createdBy": {
"identity_class": "organization",
"name": "*** Redacted ***"
},
"objectMarking": [
{
"definition_type": "TLP",
"definition": "TLP:CLEAR"
}
],
"objectLabel": [
{
"value": "osint"
},
{
"value": "t1486 - data encrypted for impact"
},
{
"value": "t1133 - external remote services"
},
{
"value": "t1555 - credentials from password stores"
},
{
"value": "t1574.002 - dll side-loading"
},
{
"value": "t1057 - process discovery"
},
{
"value": "t1558 - steal or forge kerberos tickets"
},
{
"value": "t1563 - remote service session hijacking"
}
],
"killChainPhases": [],
"externalReferences": {
"edges": []
},
"observables": {
"edges": [
{
"node": {
"id": "3a163e26-93c4-4dd9-a6d3-61af4052c99d",
"standard_id": "file--75dac703-7cc2-5f0b-a5bf-2bb5e8437d57",
"entity_type": "StixFile",
"observable_value": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
"hashes": [
{
"algorithm": "SHA-256",
"hash": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
},
{
"algorithm": "MD5",
"hash": "e930b05efe23891d19bc354a4209be3e"
}
],
"size": 1250056,
"name": "windows_update100.exe",
"name_enc": null,
"magic_number_hex": null,
"mime_type": null,
"ctime": null,
"mtime": null,
"atime": null,
"x_opencti_additional_names": [
"windows_update.exe",
"mimikatz.exe",
"DeadPotato-master/Resources/mimikatz.exe",
"H:\\kendo\\scaronong\\/mimikatz.exe",
"mimikatz",
"mimikatz-master/x64/mimikatz.exe",
"FilelessPELoader-main/mimikatz.exe",
"92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
"C:\\Users\\user\\Desktop\\out.exe",
"out.exe",
"mimi.exe",
"H:\\kendo\\yy/mimikatz.exe",
"x64/mimikatz.exe",
"mimikatz (1).exe",
"mimikatz-debian-2.2.0-20200229-1parrot1/x64/mimikatz.exe",
"windows_update (2).exe",
"C:\\Users\\adminaccount\\Downloads\\mimikatz.exe",
"mimikatz(1).exe",
"winutils.exe",
"mimikatz-debian-1-2.2.0-20200229-1parrot2/x64/mimikatz.exe",
"mpasbase.vdm",
"spoolsv.exe",
"mimikatzx64.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\zumxllar.ar1\\mimikatz.exe",
"master.exe",
"/tmp/cache/extracted_files/d1f7832035c3e8a73cc78afd28cfd7f4cece6d20.bin",
"c:\\windows\\system32\\scf751w2yllunglolntb6y9wq1597xe2t5lr9dhrza.exe",
"eq14atcrgon0uty16hd0hmxj1dg19di4wofmrm8wl.exe",
"C:\\Windows\\11k6fus6guj100xastc2c6dm3b41s91acx3yq9qxos.exe",
"n4v4m40l92rtw6957mis3p1ho6459ntf3dn2l4t23tzr.exe",
"C:\\ProgramData\\ogkmf7m3n3xdq85difql4f63xfsj75dlk19xffmlkm0o84ovb.exe",
"C:\\Windows\\Temp\\2.exe",
"mimikatz.exe.copy0",
"windows_update - Copy.exe",
"mimikatz-upstream-2.2.0-20200229/x64/mimikatz.exe",
"Mizedo64.exe",
"out",
"cnp.trojan",
"🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥.exe",
"◻️.exe",
"test.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\03dulnbn.ne0\\Mizedo64.exe",
"%HOME%\\unpack\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\53wh542w.d1c\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\nnv0hh3l.v04\\mimikatz.exe",
"mimikatz.exe.crdownload",
"notmimikatz.exe",
"ad/mimikatz.exe",
"D:/test\\\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\4ohx5kmf.gvr\\ad\\mimikatz.exe",
"mimikatz.bin",
"autoupdater.exe",
"mmk.mp3",
"C:\\Windows\\mimikatz.exe",
"Danger.exe",
"ikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\jvpvvqk0.bdf\\cmifc-main\\x64\\ikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\qclkufmt.pvf\\x64\\mimikatz.exe",
"cmifc-main/x64/ikatz.exe",
"windows_patch.exe",
"Unconfirmed 869316.crdownload",
"сентябрь 2023(570)/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\zfptlmhs.k2y\\Mizedo64.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\s0zcolno.x0h\\Mizedo64.exe",
"mimikatzWindows-master/x64/mimikatz.exe",
"c:\\Tools\\mimikatz\\x64\\mimikatz.exe",
"Youtube-main/Active Directory/Tools/mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\24cpddoq.woi\\Youtube-main\\Active Directory\\Tools\\mimikatz.exe",
"Microsoft.exe",
"data/web32.exe",
"C:\\test\\mimikatz-master\\x64\\mimikatz.exe",
"nomimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\pfy2dakv.ivm\\mimikatz.exe",
"test02-mimikatz.pdf",
"mimikatzjgfwijgijwr.exe",
"mimikatz_original.exe",
"$R1DB59L.exe",
"mi64.exe",
"USBCoreMm.exe",
"C:\\Users\\georg\\Downloads\\mimikatz.exe",
"mumu.exe",
"NotaVirus.exe",
"usr/share/mimikatz/x64/mimikatz.exe",
"usr/share/windows-resources/mimikatz/x64/mimikatz.exe",
"test.zip",
"Mimikatz x64.exe",
"mimikatz (2).exe",
"C:\\Users\\AAMIR\\Downloads\\mimikatz.exe",
"C:\\Users\\user\\Desktop\\Files\\master.exe",
"sifreliokuma64.exe",
"mi.exe",
"mmk.exe",
"mimikatz.exe.png",
"%TEMP%\\svchost.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\svchost.exe",
"%TEMP%\\file.exe",
"c:\\users\\oqxzraykm\\desktop\\file.exe",
"C:\\Users\\user\\Desktop\\file.exe",
"file.exe"
],
"obsContent": null
}
}
],
"pageInfo": {
"globalCount": 1
}
}
},
"cursor": "WzkzLjIyMTU1LCJpbmRpY2F0b3ItLTQ5MjJkMWQ0LTNkZjYtNWNjNC1iY2I3LWM3ZWQ0MjBhYjg0MSJd"
},
{
"node": {
"id": "ff066c33-d880-4235-8415-5da463b8b58a",
"standard_id": "indicator--26c73b34-9774-593e-9895-95250dfe6905",
"is_inferred": false,
"revoked": true,
"confidence": 100,
"lang": "en",
"created": "2024-09-02T20:58:29.797Z",
"modified": "2025-07-23T04:23:52.850Z",
"pattern_type": "stix",
"pattern_version": "2.1",
"pattern": "[file:hashes.'SHA-256' = '92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50']",
"name": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
"description": "Created by VirusTotal connector as the positive count was >= 10",
"valid_from": "2024-09-02T20:52:33.000Z",
"valid_until": "2025-06-20T08:02:17.557Z",
"x_opencti_score": 20,
"x_opencti_detection": false,
"x_opencti_main_observable_type": "StixFile",
"createdBy": {
"identity_class": "organization",
"name": "*** Redacted ***"
},
"objectMarking": [
{
"definition_type": "TLP",
"definition": "TLP:CLEAR"
}
],
"objectLabel": [
{
"value": "ransomware"
},
{
"value": "russia"
},
{
"value": "phishing"
},
{
"value": "belarus"
},
{
"value": "lockbit"
},
{
"value": "babuk"
},
{
"value": "cve-2023-38831"
},
{
"value": "vasa locker"
},
{
"value": "phantomdl"
},
{
"value": "phantomcore"
},
{
"value": "babyk"
},
{
"value": "hacktivists"
},
{
"value": "cobalt strike"
},
{
"value": "shamoon"
},
{
"value": "facefish"
},
{
"value": "chaos"
},
{
"value": "lockbit 3.0"
},
{
"value": "cve-2021-26855"
},
{
"value": "hacktivism"
},
{
"value": "cobint"
},
{
"value": "infrastructure sharing"
},
{
"value": "phantomjitter"
}
],
"killChainPhases": [],
"externalReferences": {
"edges": [
{
"node": {
"external_id": null,
"source_name": "VirusTotal",
"url": "https://www.virustotal.com/gui/file/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
"description": "PE32+ executable (console) x86-64, for MS Windows"
}
}
]
},
"observables": {
"edges": [
{
"node": {
"id": "3a163e26-93c4-4dd9-a6d3-61af4052c99d",
"standard_id": "file--75dac703-7cc2-5f0b-a5bf-2bb5e8437d57",
"entity_type": "StixFile",
"observable_value": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
"hashes": [
{
"algorithm": "SHA-256",
"hash": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
},
{
"algorithm": "MD5",
"hash": "e930b05efe23891d19bc354a4209be3e"
}
],
"size": 1250056,
"name": "windows_update100.exe",
"name_enc": null,
"magic_number_hex": null,
"mime_type": null,
"ctime": null,
"mtime": null,
"atime": null,
"x_opencti_additional_names": [
"windows_update.exe",
"mimikatz.exe",
"DeadPotato-master/Resources/mimikatz.exe",
"H:\\kendo\\scaronong\\/mimikatz.exe",
"mimikatz",
"mimikatz-master/x64/mimikatz.exe",
"FilelessPELoader-main/mimikatz.exe",
"92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
"C:\\Users\\user\\Desktop\\out.exe",
"out.exe",
"mimi.exe",
"H:\\kendo\\yy/mimikatz.exe",
"x64/mimikatz.exe",
"mimikatz (1).exe",
"mimikatz-debian-2.2.0-20200229-1parrot1/x64/mimikatz.exe",
"windows_update (2).exe",
"C:\\Users\\adminaccount\\Downloads\\mimikatz.exe",
"mimikatz(1).exe",
"winutils.exe",
"mimikatz-debian-1-2.2.0-20200229-1parrot2/x64/mimikatz.exe",
"mpasbase.vdm",
"spoolsv.exe",
"mimikatzx64.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\zumxllar.ar1\\mimikatz.exe",
"master.exe",
"/tmp/cache/extracted_files/d1f7832035c3e8a73cc78afd28cfd7f4cece6d20.bin",
"c:\\windows\\system32\\scf751w2yllunglolntb6y9wq1597xe2t5lr9dhrza.exe",
"eq14atcrgon0uty16hd0hmxj1dg19di4wofmrm8wl.exe",
"C:\\Windows\\11k6fus6guj100xastc2c6dm3b41s91acx3yq9qxos.exe",
"n4v4m40l92rtw6957mis3p1ho6459ntf3dn2l4t23tzr.exe",
"C:\\ProgramData\\ogkmf7m3n3xdq85difql4f63xfsj75dlk19xffmlkm0o84ovb.exe",
"C:\\Windows\\Temp\\2.exe",
"mimikatz.exe.copy0",
"windows_update - Copy.exe",
"mimikatz-upstream-2.2.0-20200229/x64/mimikatz.exe",
"Mizedo64.exe",
"out",
"cnp.trojan",
"🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥.exe",
"◻️.exe",
"test.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\03dulnbn.ne0\\Mizedo64.exe",
"%HOME%\\unpack\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\53wh542w.d1c\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\nnv0hh3l.v04\\mimikatz.exe",
"mimikatz.exe.crdownload",
"notmimikatz.exe",
"ad/mimikatz.exe",
"D:/test\\\\mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\4ohx5kmf.gvr\\ad\\mimikatz.exe",
"mimikatz.bin",
"autoupdater.exe",
"mmk.mp3",
"C:\\Windows\\mimikatz.exe",
"Danger.exe",
"ikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\jvpvvqk0.bdf\\cmifc-main\\x64\\ikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\qclkufmt.pvf\\x64\\mimikatz.exe",
"cmifc-main/x64/ikatz.exe",
"windows_patch.exe",
"Unconfirmed 869316.crdownload",
"сентябрь 2023(570)/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\zfptlmhs.k2y\\Mizedo64.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\s0zcolno.x0h\\Mizedo64.exe",
"mimikatzWindows-master/x64/mimikatz.exe",
"c:\\Tools\\mimikatz\\x64\\mimikatz.exe",
"Youtube-main/Active Directory/Tools/mimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\24cpddoq.woi\\Youtube-main\\Active Directory\\Tools\\mimikatz.exe",
"Microsoft.exe",
"data/web32.exe",
"C:\\test\\mimikatz-master\\x64\\mimikatz.exe",
"nomimikatz.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\pfy2dakv.ivm\\mimikatz.exe",
"test02-mimikatz.pdf",
"mimikatzjgfwijgijwr.exe",
"mimikatz_original.exe",
"$R1DB59L.exe",
"mi64.exe",
"USBCoreMm.exe",
"C:\\Users\\georg\\Downloads\\mimikatz.exe",
"mumu.exe",
"NotaVirus.exe",
"usr/share/mimikatz/x64/mimikatz.exe",
"usr/share/windows-resources/mimikatz/x64/mimikatz.exe",
"test.zip",
"Mimikatz x64.exe",
"mimikatz (2).exe",
"C:\\Users\\AAMIR\\Downloads\\mimikatz.exe",
"C:\\Users\\user\\Desktop\\Files\\master.exe",
"sifreliokuma64.exe",
"mi.exe",
"mmk.exe",
"mimikatz.exe.png",
"%TEMP%\\svchost.exe",
"C:\\Users\\user\\AppData\\Local\\Temp\\svchost.exe",
"%TEMP%\\file.exe",
"c:\\users\\oqxzraykm\\desktop\\file.exe",
"C:\\Users\\user\\Desktop\\file.exe",
"file.exe"
],
"obsContent": null
}
}
],
"pageInfo": {
"globalCount": 1
}
}
},
"cursor": "Wzg5LjcwMTg2LCJpbmRpY2F0b3ItLTI2YzczYjM0LTk3NzQtNTkzZS05ODk1LTk1MjUwZGZlNjkwNSJd"
}
],
"pageInfo": {
"endCursor": "Wzg5LjcwMTg2LCJpbmRpY2F0b3ItLTI2YzczYjM0LTk3NzQtNTkzZS05ODk1LTk1MjUwZGZlNjkwNSJd",
"hasNextPage": false,
"globalCount": 2
}
}
}
}Block2: Hash reputation check with VirusTotal
Action: file reputation
App: VirusTotal Call API
Input:
process_hashOutput: Name, Type, Malicious, Threat, Url search, v.v.
{
"meaningful_name": "mimikatz.exe",
"magic": "PE32+ executable (console) x86-64, for MS Windows",
"malicious": 63,
"suggested_threat_label": "trojan.mimikatz/marte",
"url": "https://www.virustotal.com/api/v3/files/92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50"
}Notification Phare
Block3: Notify Team
Action: Send Information
App: Slack
Input: Summary of alert, Splunk result, OpenCTI result, VT result.
Verification Phare (Advance)
Block4: Sandbox Detonation
Action: detonate file
App: Any.run or sandbox integration
Input:
process_hashOutput: Behavior analysis
Containment Phase (Advance)
Block5: Endpoint Isolation
Action: isolate endpoint
App: EDR
Input: host or dest
Output: Status=success
Block6: Kill Malicious Process
Action: terminate process malicious
App: EDR
Input:
process_pathorpidOutput: Confirmation
Diagram
Configure
Splunk Rule Detection
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter`
| where process_hash!="null"
| where parent_process_name!="unknown"
| join type=left dest [ search index="windows-log" | fields dest, severity ]
| addinfo
| eval link_alert = "https://192.168.35.150:8000/en-US/app/search/search?sid=".info_sid
| eval annotations=json_object(
"analytic_story", mv_to_json_array(split("CISA AA22-320A,CISA AA23-347A,Compromised Windows Host,Credential Dumping,Flax Typhoon,Sandworm Tools,Volt Typhoon", ",")),
"cis20", mv_to_json_array(split("CIS 10", ",")),
"kill_chain_phases", mv_to_json_array(split("Exploitation", ",")),
"mitre_attack", mv_to_json_array(split("T1003", ",")),
"nist", mv_to_json_array(split("DE.CM", ",")),
"vn9i", mv_to_json_array(split("Các hình thức tấn công khác", ","))
)
| eval tactics = "Credential Access"
| eval entity = dest, entity_type = "system", risk_object= entity, risk_object_type=entity_type, threat_object = parent_process_name, threat_object_type = "parent_process_name"
| collect index=soc_riskSetting
Value
Disabled
False
Cron Schedule
0 * * * * *
Earliest Time
-70m@m
Latest Time
-10m@m
Schedule Window
auto
Creates Notable
Yes
Rule Title
%name%
Rule Description
%description%
Create Trigger Action with Webhook search index=soc_risk
Setting
Value
Disabled
False
Cron Schedule
*/1 * * * *
Earliest Time
-70m@m
Latest Time
-10m@m
Schedule Window
auto
Creates Notable
Yes
Rule Title
%name%
Rule Description
%description%
Parse IOC
Using Shuffler tool Regex capture group
OpenCTI body
VirusTotal Get a hash report
Slack Chat Message
Result after Workflow trigger alert and Enrichment IOC
[New-Alert] Splunk Information
Rule Name: EBD - Windows Mimikatz Binary Execution - Rule
Timestamp: 2025-07-23T11:42:24
Dest: WinSrv22.luongdv.thd
Risk Object: WinSrv22.luongdv.thd
Risk Object Type: system
Threat Object: powershell.exe
Threat Object Type: parent_process_name
Process Name: mimikatz.exe
Process Hash: SHA1=D1F7832035C3E8A73CC78AFD28CFD7F4CECE6D20,MD5=E930B05EFE23891D19BC354A4209BE3E,SHA256=92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50,IMPHASH=1355327F6CA3430B3DDBE6E0ACDA71EA
Severity: informational
Link Alert: https://192.168.35.150:8000/en-US/app/search/search?sid=scheduler__admin_dGhkX2ZpbmRpbmdfYmFzZWRfZGV0ZWN0aW9u__RMD5274c121f254c8a17_at_1753245780_428
OpenCTI Infomation
Indicator ID: indicator--4922d1d4-3df6-5cc4-bcb7-c7ed420ab841
Name: [file:hashes.'SHA-256' = '92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50']
OpenCTI Score: 50
VirusTotal Information
Name: mimikatz.exe
Type: PE32+ executable (console) x86-64, for MS Windows
Malicious: 63
Threat: trojan.mimikatz/marte
Url: https://www.virustotal.com/api/v3/files/92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50Last updated
Was this helpful?