Threat Hunting

Detecting Mimikatz Without Signature-Based Rules

30 September 2025 | 4 min read | justruss.tech

Mimikatz is the most reproduced and modified credential theft tool in existence. The original codebase is public, hundreds of variants exist, and new ones appear specifically designed to evade current signatures. Relying on file hash or string signature detection for Mimikatz is a losing game. The approach that holds up over time is behavioural detection based on what Mimikatz must do at the API and kernel level to extract credentials, because those operations cannot change without breaking the tool’s functionality.

What Mimikatz does at the system level

The sekurlsa::logonpasswords module follows a consistent sequence regardless of variant or obfuscation. It calls OpenProcess with PROCESS_VM_READ access on lsass.exe to get a handle. It calls NtQueryInformationProcess on that handle to locate the LSASS PEB. It calls ReadProcessMemory repeatedly to walk LSASS memory structures and locate credential caches. It calls BCryptDecrypt using the LSA encryption key to decrypt the cached credentials. Each of these steps is detectable at a different layer.

Sysmon Event ID 10: LSASS process access

<!-- Sysmon config: catch all LSASS access -->
<ProcessAccess onmatch="include">
  <TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage>
</ProcessAccess>
# Mimikatz sekurlsa::logonpasswords generates:
# SourceImage:   C:\path\to\mimikatz.exe
# TargetImage:   C:\Windows\System32\lsass.exe
# GrantedAccess: 0x1010
#
# 0x1010 = PROCESS_VM_READ (0x0010) + PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
# This is the exact access mask Mimikatz requests by default

# Legitimate processes that access LSASS use different masks:
# Windows Defender:     0x1400
# Task Manager:         0x1fffff
# Windows Error Report: 0x0040

# Splunk detection
index=sysmon EventCode=10
    TargetImage="*\lsass.exe"
    GrantedAccess IN ("0x1010", "0x1038", "0x1fffff")
    NOT SourceImage IN (
        "C:\Program Files\Windows Defender\*",
        "C:\ProgramData\Microsoft\Windows Defender\*",
        "C:\Windows\System32\werfault.exe"
    )
| table _time, ComputerName, SourceImage, GrantedAccess

Detecting WDigest enablement

# sekurlsa::wdigest requires WDigest to be enabled
# Enabling it writes to a registry key - Sysmon Event ID 13 captures this

# Sigma rule
title: WDigest Credential Caching Enabled
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\WDigest\UseLogonCredential'
        Details: 'DWORD (0x00000001)'
    condition: selection
level: critical

# There is almost no legitimate reason to enable WDigest on a modern Windows system
# Any write of value 1 to UseLogonCredential is credential theft preparation

Detecting dump file creation

# After accessing LSASS memory, Mimikatz or the attacker often creates a dump file
# Sysmon Event ID 11 captures file creation

index=sysmon EventCode=11
    TargetFilename="*.dmp"
    NOT TargetFilename IN (
        "C:\Windows\MEMORY.DMP",
        "C:\Windows\Minidump\*",
        "C:\ProgramData\Microsoft\Windows\WER\*"
    )
| table _time, ComputerName, Image, TargetFilename

Detecting the direct syscall variants

Tools like Mimikatz variants using SysWhispers, Hell’s Gate, or custom direct syscall stubs bypass userland hooks entirely. Sysmon Event ID 10 will not fire because the hook DLL never executes. The Microsoft-Windows-Threat-Intelligence ETW provider (ETWTI) does capture these operations at the kernel level, but consuming ETWTI requires a kernel driver. Sysmon-only deployments have a gap here.

Test your coverage by running a direct syscall credential dumper in a lab environment and checking whether your EDR alerts. If it does not, you need kernel-level coverage. Verify your EDR has an active kernel driver with sc query type= kernel and look for your vendor’s driver in the output.

Sigma rule covering the common variants

title: LSASS Memory Access Indicating Credential Dumping
id: 32d0d3e2-e58d-4d41-a703-4b606902d533
status: stable
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1fffff'
            - '0x1410'
            - '0x1010'
            - '0x1038'
    filter_legit:
        SourceImage|startswith:
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\'
            - 'C:\Windows\System32\werfault.exe'
    condition: selection and not filter_legit
level: high
tags:
    - attack.credential_access
    - attack.t1003.001

// related posts

Threat Hunting
Malicious PowerShell: What to Look For and Where to Find It
9 Dec 2025
 Threat Hunting
DCSync and DCShadow: Owning Active Directory Without Touching a DC
10 Mar 2026
 Threat Hunting
Kernel-Level EDR Tampering: How Attackers Remove Your Visibility at the Source
28 Apr 2026
 Threat Hunting
Writing Sigma Rules That Actually Work
27 Jan 2026