Mimikatz is the most reproduced and modified credential theft tool in existence. The original codebase is public, hundreds of variants exist, and new ones appear specifically designed to evade current signatures. Relying on file hash or string signature detection for Mimikatz is a losing game. The approach that holds up over time is behavioural detection based on what Mimikatz must do at the API and kernel level to extract credentials, because those operations cannot change without breaking the tool’s functionality.<\/p>\n
The sekurlsa::logonpasswords module follows a consistent sequence regardless of variant or obfuscation. It calls OpenProcess with PROCESS_VM_READ access on lsass.exe to get a handle. It calls NtQueryInformationProcess on that handle to locate the LSASS PEB. It calls ReadProcessMemory repeatedly to walk LSASS memory structures and locate credential caches. It calls BCryptDecrypt using the LSA encryption key to decrypt the cached credentials. Each of these steps is detectable at a different layer.<\/p>\n
<!-- Sysmon config: catch all LSASS access -->\n<ProcessAccess onmatch=\"include\">\n <TargetImage condition=\"is\">C:\\Windows\\System32\\lsass.exe<\/TargetImage>\n<\/ProcessAccess><\/pre>\n# Mimikatz sekurlsa::logonpasswords generates:\n# SourceImage: C:\\path\\to\\mimikatz.exe\n# TargetImage: C:\\Windows\\System32\\lsass.exe\n# GrantedAccess: 0x1010\n#\n# 0x1010 = PROCESS_VM_READ (0x0010) + PROCESS_QUERY_LIMITED_INFORMATION (0x1000)\n# This is the exact access mask Mimikatz requests by default\n\n# Legitimate processes that access LSASS use different masks:\n# Windows Defender: 0x1400\n# Task Manager: 0x1fffff\n# Windows Error Report: 0x0040\n\n# Splunk detection\nindex=sysmon EventCode=10\n TargetImage=\"*\\lsass.exe\"\n GrantedAccess IN (\"0x1010\", \"0x1038\", \"0x1fffff\")\n NOT SourceImage IN (\n \"C:\\Program Files\\Windows Defender\\*\",\n \"C:\\ProgramData\\Microsoft\\Windows Defender\\*\",\n \"C:\\Windows\\System32\\werfault.exe\"\n )\n| table _time, ComputerName, SourceImage, GrantedAccess<\/pre>\nDetecting WDigest enablement<\/h3>\n
# sekurlsa::wdigest requires WDigest to be enabled\n# Enabling it writes to a registry key - Sysmon Event ID 13 captures this\n\n# Sigma rule\ntitle: WDigest Credential Caching Enabled\nlogsource:\n product: windows\n category: registry_set\ndetection:\n selection:\n TargetObject|contains: '\\WDigest\\UseLogonCredential'\n Details: 'DWORD (0x00000001)'\n condition: selection\nlevel: critical\n\n# There is almost no legitimate reason to enable WDigest on a modern Windows system\n# Any write of value 1 to UseLogonCredential is credential theft preparation<\/pre>\nDetecting dump file creation<\/h3>\n
# After accessing LSASS memory, Mimikatz or the attacker often creates a dump file\n# Sysmon Event ID 11 captures file creation\n\nindex=sysmon EventCode=11\n TargetFilename=\"*.dmp\"\n NOT TargetFilename IN (\n \"C:\\Windows\\MEMORY.DMP\",\n \"C:\\Windows\\Minidump\\*\",\n \"C:\\ProgramData\\Microsoft\\Windows\\WER\\*\"\n )\n| table _time, ComputerName, Image, TargetFilename<\/pre>\nDetecting the direct syscall variants<\/h3>\n
Tools like Mimikatz variants using SysWhispers, Hell’s Gate, or custom direct syscall stubs bypass userland hooks entirely. Sysmon Event ID 10 will not fire because the hook DLL never executes. The Microsoft-Windows-Threat-Intelligence ETW provider (ETWTI) does capture these operations at the kernel level, but consuming ETWTI requires a kernel driver. Sysmon-only deployments have a gap here.<\/p>\n
Test your coverage by running a direct syscall credential dumper in a lab environment and checking whether your EDR alerts. If it does not, you need kernel-level coverage. Verify your EDR has an active kernel driver with
sc query type= kernel<\/code> and look for your vendor’s driver in the output.<\/p>\nSigma rule covering the common variants<\/h3>\n
title: LSASS Memory Access Indicating Credential Dumping\nid: 32d0d3e2-e58d-4d41-a703-4b606902d533\nstatus: stable\nlogsource:\n product: windows\n category: process_access\ndetection:\n selection:\n TargetImage|endswith: '\\lsass.exe'\n GrantedAccess|contains:\n - '0x1fffff'\n - '0x1410'\n - '0x1010'\n - '0x1038'\n filter_legit:\n SourceImage|startswith:\n - 'C:\\Program Files\\Windows Defender\\'\n - 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n - 'C:\\Windows\\System32\\werfault.exe'\n condition: selection and not filter_legit\nlevel: high\ntags:\n - attack.credential_access\n - attack.t1003.001<\/pre>\n","protected":false},"excerpt":{"rendered":"Mimikatz has hundreds of variants and most AV signatures fall
\nbehind. Behavioural detection approaches that catch it regardless of version.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-200","post","type-post","status-publish","format-standard","hentry","category-threat-hunting"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=200"}],"version-history":[{"count":4,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions"}],"predecessor-version":[{"id":358,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions\/358"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}