Detecting Mimikatz With Sysmon
Mimikaz is a tool that allows you to dump windows credentials in memory using the lsass process. There are many different ways to detect the Mimikatz binary in your environment. Sysmon is a proven windows utility for expanding detection visibility and discovering endpoint threats.
Here are some basic ways to use Sysmon to detect Mimikatz in your environment.
- Using Sysmon To Detect Command Line Execution
- Using Sysmon To Detect Obfuscated Command Line Execution
- Using Sysmon To Detect Mimikatz Accessing Lsass Memory
Using Sysmon To Detect Command Line Execution
Before attackers can execute Mimikatz and dump Windows credentials, they must first download the binary into your environment. Sysmon Event ID 1 tracks Windows process creation and shows the command line execution used to invoke shell processes.
Using Sysmon To Detect Obfuscated Command Line Execution
Threat actors will often obfuscate their command line execution in order to evade endpoint detection. Base64 encoding is a common adversarial obfuscation tactic.
Using Sysmon To Detect Mimikatz Accessing Lsass Memory
The lsass process enforces the Windows security policy, verifies user logons, and handles user password changes. If you configure Sysmon to watch for Mimikatz accessing the lsass process, Sysmon Event ID 10 will show Mimikatz behaving as a parent process and accessing lsass.exe, behaving as a child process.
