We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Win32/MimikatzTrigger
Aliases: No associated aliases
Summary
Behavior:Win32/MimikatzTrigger is a specific detection category aimed at a preparatory activity that allows credential harvesting via Mimikatz-based tools (Behavior:Win32/Mimikatz is aimed at the credential-dumping activity). The "Trigger" designation is unique to because it focuses on behaviors that weaken the defense posture of the target devices before launching Mimikatz file-based or file-less attacks, disabling security agents or changing the authentication method, not the credential theft.
Viewed this way, it is a designation describing its pre-attack status, or a "trigger" before planned or full-scale attacks are carried out, planting the exploit pathway and not the main payload of Mimikatz. Both variants are based on the HackTool:Win32/Mimikatz artifact, but they take a different approach: HackTool classifies the static file dropped on-disk, and Behavior detects launching of a fileless attack against the device.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
