Hacktool Katz Variants - Credential Dumping Tool Execution (Powershell)

Rule Info

Name
Hacktool Katz Variants - Credential Dumping Tool Execution (Powershell)
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential usage of unwanted credential dumping hack tools that follow naming conventions similar to mimikatz.exe. Red team developers frequently incorporate "katz" in their tool names to indicate credential dumping functionality of their tool.
Reference
Internal Research
Date
2025-04-21 00:00:00
Modified
None
Id
aa006248-0515-4034-96d6-a055ac8ba336
Tags
attack.credential-access attack.t1003 attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022