We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/Mimikatz.L
Aliases: No associated aliases
Summary
Behavior:Win32/Mimikatz.L, the "Behavior" variant is a reconfiguration of HackTool:Win32/Mimikatz and its variants. The HackTool detections are based on the tool's static components on disk while the Behavior detections come from the threat actor using the core Mimikatz functionality in fileless, script-based attacks via PowerShell and other scripting languages.
When threat actors extract capabilities of a tool (in this case HackTool:Win32/Mimikatz) and spread them out as identifiable, detectable actions, they compel antivirus apps to use behavioral heuristics instead of malware static signatures search. A clear illustration of how threat actors adapt to operate in a way that works around static security defenses.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
