Detecting Mimikatz With Sysmon

  1. Using Sysmon To Detect Command Line Execution
  2. Using Sysmon To Detect Obfuscated Command Line Execution
  3. Using Sysmon To Detect Mimikatz Accessing Lsass Memory

Using Sysmon To Detect Command Line Execution

Before attackers can execute Mimikatz and dump Windows credentials, they must first download the binary into your environment. Sysmon Event ID 1 tracks Windows process creation and shows the command line execution used to invoke shell processes.

Using Sysmon To Detect Obfuscated Command Line Execution

Threat actors will often obfuscate their command line execution in order to evade endpoint detection. Base64 encoding is a common adversarial obfuscation tactic.

Using Sysmon To Detect Mimikatz Accessing Lsass Memory

The lsass process enforces the Windows security policy, verifies user logons, and handles user password changes. If you configure Sysmon to watch for Mimikatz accessing the lsass process, Sysmon Event ID 10 will show Mimikatz behaving as a parent process and accessing lsass.exe, behaving as a child process.

--

--

Entrepreneur

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store