LetsDefend Academy

Online practicing and training platform for blue team members









Detecting Mimikatz with Sysmon

Sysmon


Sysmon is a tool developed by Microsoft that provides the activities of the device to be recorded. It provides detailed information for activities such as processes and network connections, and ensures that abnormal situations can be detected. Detailed information for installation and configuration can be found on Microsoft's website.

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Mimikatz


It is a tool that provides to obtain passwords from memory in Windows systems.

https://github.com/gentilkiwi/mimikatz

We will talk about 3 different ways to detect mimikatz in the system using Sysmon:

-Monitoring files named Mimikatz
-Monitoring hash
-”lsass.exe”

Monitoring files named Mimikatz

Monitoring the files named "mimikatz" created in the system is an option for detection. However, the file name can be changed easily, so it is easy to bypass.

Sysmon configuration:

Sysmon output:

Looking at the output, it is understood that the "mimikatz.exe" file is extracted from the compressed file.

Monitoring hash


When a process with hash values belonging to Mimikatz is started, Sysmon can be made to generate a warning. Since the hash value will be renewed with a small change in the file, this method is not very healthy either.

Looking at the hash value of "mimikatz.exe", it is seen that it is "010D11288BAF561F633D674E715A2016".

When a small addition is made to the file, the hash value will also change.

Configuration required to see if the file with the hash value "010D11288BAF561F633D674E715A2016" is executed:

sysmon output:

”lsass.exe”

Mimikatz uses lsass.exe to capture passwords. With the monitoring of "lsass.exe", the processes that use it are also recorded. This way, not only mimikatz but all suspicious processes that use lsass.exe are recorded.

Configuration:

Processes that call "lsass.exe" for legal activities can be excluded to achieve more effective results.

Sysmon output: