We will talk about 3 different ways to detect mimikatz in the system using Sysmon:
-Monitoring files named Mimikatz
Monitoring the files named "mimikatz" created in the system is an option for detection. However, the file name can be changed easily, so it is easy to bypass.
Looking at the output, it is understood that the "mimikatz.exe" file is extracted from the compressed file.
Looking at the hash value of "mimikatz.exe", it is seen that it is "010D11288BAF561F633D674E715A2016".
When a small addition is made to the file, the hash value will also change.
Configuration required to see if the file with the hash value "010D11288BAF561F633D674E715A2016" is executed:
Mimikatz uses lsass.exe to capture passwords. With the monitoring of "lsass.exe", the processes that use it are also recorded. This way, not only mimikatz but all suspicious processes that use lsass.exe are recorded.
Processes that call "lsass.exe" for legal activities can be excluded to achieve more effective results.