{"id":200,"date":"2023-01-09T09:00:00","date_gmt":"2023-01-09T09:00:00","guid":{"rendered":"http:\/\/justruss.tech\/index.php\/2023\/01\/09\/detecting-mimikatz-without-signature-based-rules\/"},"modified":"2026-05-13T12:59:35","modified_gmt":"2026-05-13T12:59:35","slug":"detecting-mimikatz-without-signature-based-rules","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2023\/01\/09\/detecting-mimikatz-without-signature-based-rules\/","title":{"rendered":"Detecting Mimikatz Without Signature-Based Rules"},"content":{"rendered":"

Mimikatz is the most widely reproduced and modified credential theft tool in existence. The original codebase by Benjamin Delpy is public, well-understood, and has spawned hundreds of variants. Signature-based detection consistently lags the
\nvariants. Behavioural detection is more durable because the underlying Windows API calls that credential theft requires cannot change without breaking the functionality.<\/p>\n

What Mimikatz actually does at the API level<\/h3>\n

The sekurlsa::logonpasswords<\/code> module performs the following sequence:<\/p>\n

1. OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, lsass_pid)\n   -> Returns handle with access mask 0x0410\n\n2. NtQueryInformationProcess(hLsass, ProcessBasicInformation, ...)\n   -> Gets LSASS PEB base address\n\n3. ReadProcessMemory(hLsass, peb_address, ...)\n   -> Reads LSASS memory pages\n\n4. Repeat ReadProcessMemory calls to locate SSP (Security Support Provider)\n   credential structures in LSASS memory\n\n5. Decrypt credentials using LsaDecryptMemory()\n   -> Calls BCryptDecrypt with the LSA encryption key<\/pre>\n
Each of these operations is visible to the OS and generates telemetry at different layers.<\/p>\n
Sysmon Event ID 10 \u2014 the primary detection<\/h3>\n
# Sysmon config to catch all LSASS access:\n<ProcessAccess onmatch=\"include\">\n  <TargetImage condition=\"is\">C:\\Windows\\System32\\lsass.exe<\/TargetImage>\n<\/ProcessAccess>\n<ProcessAccess onmatch=\"exclude\">\n  <SourceImage condition=\"is\">C:\\Windows\\System32\\werfault.exe<\/SourceImage>\n  <SourceImage condition=\"is\">C:\\Windows\\System32\\WerFaultSecure.exe<\/SourceImage>\n<\/ProcessAccess><\/pre>\n
The event generated for standard Mimikatz sekurlsa::logonpasswords:<\/p>\n
EventID:       10\nSourceImage:   C:\\Users\\attacker\\mimikatz.exe\nTargetImage:   C:\\Windows\\System32\\lsass.exe\nGrantedAccess: 0x1010\nCallTrace:\n  C:\\Windows\\SYSTEM32\\ntdll.dll+9f0d4\n  C:\\Windows\\SYSTEM32\\KERNELBASE.dll+27bc2\n  C:\\Users\\attacker\\mimikatz.exe+12a34<\/pre>\n
Access mask breakdown: 0x1010 = PROCESS_VM_READ (0x0010) | PROCESS_QUERY_LIMITED_INFORMATION (0x1000)<\/code><\/p>\n
Legitimate processes with LSASS access and their expected masks:<\/p>\n
Process                          Expected GrantedAccess\nWindows Defender (MsMpEng.exe)   0x1400\nCrowdStrike Falcon               0x1fffff (kernel handle)\nTask Manager                     0x1fffff\nWindows Error Reporting          0x0040<\/pre>\n
WDigest detection \u2014 registry write monitoring<\/h3>\n
Before running sekurlsa::wdigest, Mimikatz (or the operator) enables WDigest to force plaintext credential caching:<\/p>\n
reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest \\\n  \/v UseLogonCredential \/t REG_DWORD \/d 1 \/f<\/pre>\n
Sysmon Event ID 13 (RegistryEvent – SetValue) captures this:<\/p>\n
EventID:    13\nUtcTime:    2023-01-09 14:22:33.118\nEventType:  SetValue\nImage:      C:\\Windows\\System32\\reg.exe\nTargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential\nDetails:    DWORD (0x00000001)<\/pre>\n
Sigma rule:<\/p>\n
title: WDigest Credential Caching Enabled\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: \\WDigest\\UseLogonCredential\n        Details: \"DWORD (0x00000001)\"\n    condition: selection\nlevel: critical<\/pre>\n
Detecting direct syscall variants<\/h3>\n
Tools like SysWhispers, Hell’s Gate, and Halo’s Gate generate direct syscall stubs to bypass userland hooks. These do not produce Sysmon Event ID 10 because the hook DLL never executes. Detection requires the
\nMicrosoft-Windows-Threat-Intelligence ETW provider, which runs in the kernel:<\/p>\n
Event: 10 (ReadVirtualMemory)\nProvider: Microsoft-Windows-Threat-Intelligence\nProcessID: 4892 (mimikatz_renamed.exe)\nCallingProcessID: 4892\nTargetProcessID: 724 (lsass.exe)\nBaseAddress: 0x7ff8c0000000\nBytesToRead: 4096<\/pre>\n
This provider is available on Windows 10 1709+ and requires a kernel driver to consume. Commercial EDR products using kernel drivers see this; Sysmon does not. If your coverage is Sysmon-only, test your detection against a direct syscall
\ncredential dumper to verify whether Event ID 10 fires. If it does not, you have a gap.<\/p>\n
AMSI-based detection<\/h3>\n
When Mimikatz runs as a script (Invoke-Mimikatz) or is reflectively loaded into PowerShell, AMSI scans the content before execution. AMSI event log (Microsoft-Antimalware-Scan-Interface, Event ID 1101):<\/p>\n
AppName:         PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0\nContentName:     [the script content]\nContentSize:     45823\nOriginalSize:    45823\nResult:          32768  # AMSI_RESULT_DETECTED\nSession:         1\nScanStatus:      1<\/pre>\n
AMSI bypass techniques (patching amsi.dll in memory) are themselves detectable via Sysmon Event ID 25 (ProcessTampering) on Windows 10 21H1+:<\/p>\n
EventID:    25\nUtcTime:    2023-01-09 14:24:11.992\nImage:      C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nType:       Image is replaced<\/pre>\n","protected":false},"excerpt":{"rendered":"
Mimikatz has hundreds of variants and most AV signatures fall
\nbehind. Behavioural detection approaches that catch it regardless of version.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-200","post","type-post","status-publish","format-standard","hentry","category-threat-hunting"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=200"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions"}],"predecessor-version":[{"id":242,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions\/242"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}