Threat Hunting

Detecting Mimikatz Without Signature-Based Rules

9 January 2023 | justruss.tech

Mimikatz is the most widely reproduced and modified credential theft tool in existence. The original codebase by Benjamin Delpy is public, well-understood, and has spawned hundreds of variants. Signature-based detection consistently lags the
variants. Behavioural detection is more durable because the underlying Windows API calls that credential theft requires cannot change without breaking the functionality.

What Mimikatz actually does at the API level

The sekurlsa::logonpasswords module performs the following sequence:

1. OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, lsass_pid)
   -> Returns handle with access mask 0x0410

2. NtQueryInformationProcess(hLsass, ProcessBasicInformation, ...)
   -> Gets LSASS PEB base address

3. ReadProcessMemory(hLsass, peb_address, ...)
   -> Reads LSASS memory pages

4. Repeat ReadProcessMemory calls to locate SSP (Security Support Provider)
   credential structures in LSASS memory

5. Decrypt credentials using LsaDecryptMemory()
   -> Calls BCryptDecrypt with the LSA encryption key

Each of these operations is visible to the OS and generates telemetry at different layers.

Sysmon Event ID 10 — the primary detection

# Sysmon config to catch all LSASS access:
<ProcessAccess onmatch="include">
  <TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
  <SourceImage condition="is">C:\Windows\System32\werfault.exe</SourceImage>
  <SourceImage condition="is">C:\Windows\System32\WerFaultSecure.exe</SourceImage>
</ProcessAccess>

The event generated for standard Mimikatz sekurlsa::logonpasswords:

EventID:       10
SourceImage:   C:\Users\attacker\mimikatz.exe
TargetImage:   C:\Windows\System32\lsass.exe
GrantedAccess: 0x1010
CallTrace:
  C:\Windows\SYSTEM32\ntdll.dll+9f0d4
  C:\Windows\SYSTEM32\KERNELBASE.dll+27bc2
  C:\Users\attacker\mimikatz.exe+12a34

Access mask breakdown: 0x1010 = PROCESS_VM_READ (0x0010) | PROCESS_QUERY_LIMITED_INFORMATION (0x1000)

Legitimate processes with LSASS access and their expected masks:

Process                          Expected GrantedAccess
Windows Defender (MsMpEng.exe)   0x1400
CrowdStrike Falcon               0x1fffff (kernel handle)
Task Manager                     0x1fffff
Windows Error Reporting          0x0040

WDigest detection — registry write monitoring

Before running sekurlsa::wdigest, Mimikatz (or the operator) enables WDigest to force plaintext credential caching:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest \
  /v UseLogonCredential /t REG_DWORD /d 1 /f

Sysmon Event ID 13 (RegistryEvent – SetValue) captures this:

EventID:    13
UtcTime:    2023-01-09 14:22:33.118
EventType:  SetValue
Image:      C:\Windows\System32\reg.exe
TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
Details:    DWORD (0x00000001)

Sigma rule:

title: WDigest Credential Caching Enabled
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: \WDigest\UseLogonCredential
        Details: "DWORD (0x00000001)"
    condition: selection
level: critical

Detecting direct syscall variants

Tools like SysWhispers, Hell’s Gate, and Halo’s Gate generate direct syscall stubs to bypass userland hooks. These do not produce Sysmon Event ID 10 because the hook DLL never executes. Detection requires the
Microsoft-Windows-Threat-Intelligence ETW provider, which runs in the kernel:

Event: 10 (ReadVirtualMemory)
Provider: Microsoft-Windows-Threat-Intelligence
ProcessID: 4892 (mimikatz_renamed.exe)
CallingProcessID: 4892
TargetProcessID: 724 (lsass.exe)
BaseAddress: 0x7ff8c0000000
BytesToRead: 4096

This provider is available on Windows 10 1709+ and requires a kernel driver to consume. Commercial EDR products using kernel drivers see this; Sysmon does not. If your coverage is Sysmon-only, test your detection against a direct syscall
credential dumper to verify whether Event ID 10 fires. If it does not, you have a gap.

AMSI-based detection

When Mimikatz runs as a script (Invoke-Mimikatz) or is reflectively loaded into PowerShell, AMSI scans the content before execution. AMSI event log (Microsoft-Antimalware-Scan-Interface, Event ID 1101):

AppName:         PowerShell_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_10.0
ContentName:     [the script content]
ContentSize:     45823
OriginalSize:    45823
Result:          32768  # AMSI_RESULT_DETECTED
Session:         1
ScanStatus:      1

AMSI bypass techniques (patching amsi.dll in memory) are themselves detectable via Sysmon Event ID 25 (ProcessTampering) on Windows 10 21H1+:

EventID:    25
UtcTime:    2023-01-09 14:24:11.992
Image:      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:       Image is replaced