Detecting Mimikatz with Sysmon

Detecting Mimikatz with Sysmon

Sysmon is an excellent tool for detecting malicious activities, including the credential theft tool Mimikatz. Below are three methods to detect Mimikatz, focusing on file monitoring, hash tracking, and behavior analysis.

1. Monitoring Files Named "Mimikatz"

Detection Approach:

Track any file or process execution with names related to Mimikatz (e.g., mimikatz.exe).

Sysmon Configuration:

Use the following Sysmon XML snippet to monitor for files or processes with "mimikatz" in their names:

<RuleGroup name="Detect Mimikatz by Name" groupRelation="or">
  <FileCreate onmatch="include">
    <Image condition="contains">mimikatz</Image>
  </FileCreate>
  <ProcessCreate onmatch="include">
    <Image condition="contains">mimikatz</Image>
  </ProcessCreate>
</RuleGroup>

Sysmon Output Example:

When a file named mimikatz.exe is created or executed:

Event ID: 1 (Process Create)
RuleName: Detect Mimikatz by Name
Image: C:\Users\Attacker\Downloads\mimikatz.exe

Limitation:

Attackers can easily bypass this by renaming the Mimikatz binary (e.g., notepad.exe).

2. Monitoring Mimikatz Hash Values

Detection Approach:

Monitor known hash values of Mimikatz executables.

Sysmon Configuration:

Use the following configuration to track specific Mimikatz hashes:

<RuleGroup name="Detect Mimikatz by Hash" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Hash condition="is">010D11288BAF561F633D674E715A2016</Hash> <!-- Example SHA256 -->
  </ProcessCreate>
</RuleGroup>

Sysmon Output Example:

When a process with a matching hash is executed:

Event ID: 1 (Process Create)
RuleName: Detect Mimikatz by Hash
Hash: 010D11288BAF561F633D674E715A2016

Limitation:

Hashes change with even minor modifications to the binary, making this method less effective against altered or custom-built versions of Mimikatz.

3. Tracking "lsass.exe" Access

Detection Approach:

Mimikatz interacts with lsass.exe to extract credentials. Monitor processes accessing lsass.exe with specific privileges.

Sysmon Configuration:

Track processes that access lsass.exe with PROCESS_VM_READ permission:

<RuleGroup name="Detect Lsass Access" groupRelation="or">
  <ProcessAccess onmatch="include">
    <TargetImage condition="contains">lsass.exe</TargetImage>
    <GrantedAccess condition="contains">PROCESS_VM_READ</GrantedAccess>
  </ProcessAccess>
</RuleGroup>

Sysmon Output Example:

When a suspicious process interacts with lsass.exe:

Event ID: 10 (Process Access)
RuleName: Detect Lsass Access
SourceImage: C:\Users\Attacker\mimikatz.exe
TargetImage: C:\Windows\System32\lsass.exe
GrantedAccess: PROCESS_VM_READ

Optimization:

To reduce noise, exclude legitimate processes such as antivirus or backup software that may also access lsass.exe.

Combining Detection Methods

For robust detection:

  1. File Monitoring: Catch initial attempts to use Mimikatz with default names.

  2. Hash Tracking: Identify known malicious binaries.

  3. Behavior Analysis: Detect malicious behavior like credential dumping from lsass.exe.

Best Practices for Effective Detection

  1. Regularly Update Sysmon Configuration:

    • Incorporate new Indicators of Compromise (IOCs) and emerging threats.

  2. Filter Noise:

    • Exclude trusted processes accessing sensitive resources to avoid false positives.

  3. Leverage SIEM Integration:

    • Send Sysmon logs to a SIEM for correlation and real-time alerting.

  4. Combine with Other Tools:

    • Use Sysmon alongside tools like ELK Stack, Splunk, or Microsoft Defender for Endpoint for comprehensive detection and analysis.

Key Points

Sysmon, with a well-configured XML setup, provides a powerful way to detect Mimikatz activities. By leveraging these configurations, you can monitor and detect credential theft attempts, ensuring a proactive defense against advanced attacks.

PreviousIntroduction and Set Up of SysmonNextDetecting Pass The Hash with Sysmon

Last updated