Detecting Mimikatz

Mimikatz

• Well known and commonly used to dump credentials from memory along with other Windows post-exploitation activity

• Mainly known for dumping LSASS

• You can hunt for

  • the file created

  • execution of the file from an elevated process

  • creation of a remote thread

  • processes that Mimikatz creates

• AV software will often pick up mimikatz because the signature is well known

Detecting File Creation

• First method just looks for files created with the name Mimikatz

• This is a very simple technique to detect Mimikatz that might have bypassed AV or other detection methods

Detecting File Creation

• First method just looks for files created with the name Mimikatz

• This is a very simple technique to detect Mimikatz that might have bypassed AV or other detection methods

<RuleGroup name="" groupRelation="or">  
	<ProcessAccess onmatch="exclude">
		<SourceImage condition="image">svchost.exe</SourceImage>
	</ProcessAccess>	
	<ProcessAccess onmatch="include">  
 		<TargetImage condition="image">lsass.exe</TargetImage>  
	</ProcessAccess>  
</RuleGroup>

Detecting LSASS Behavior with PowerShell

• Detect abnormal LSASS behavior filtering out other processes from TargetImage

Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'

Related Information

• MITRE ATTACK T1055

• MITRE ATTACK S0002