LetsDefend Academy

Online practicing and training platform for blue team members

Detecting Mimikatz with Sysmon


Sysmon is a tool developed by Microsoft that provides the activities of the device to be recorded. It provides detailed information for activities such as processes and network connections, and ensures that abnormal situations can be detected. Detailed information for installation and configuration can be found on Microsoft's website.



It is a tool that provides to obtain passwords from memory in Windows systems.


We will talk about 3 different ways to detect mimikatz in the system using Sysmon:

-Monitoring files named Mimikatz
-Monitoring hash

Monitoring files named Mimikatz

Monitoring the files named "mimikatz" created in the system is an option for detection. However, the file name can be changed easily, so it is easy to bypass.

Sysmon configuration:

Sysmon output:

Looking at the output, it is understood that the "mimikatz.exe" file is extracted from the compressed file.

Monitoring hash

When a process with hash values belonging to Mimikatz is started, Sysmon can be made to generate a warning. Since the hash value will be renewed with a small change in the file, this method is not very healthy either.

Looking at the hash value of "mimikatz.exe", it is seen that it is "010D11288BAF561F633D674E715A2016".

When a small addition is made to the file, the hash value will also change.

Configuration required to see if the file with the hash value "010D11288BAF561F633D674E715A2016" is executed:

sysmon output:


Mimikatz uses lsass.exe to capture passwords. With the monitoring of "lsass.exe", the processes that use it are also recorded. This way, not only mimikatz but all suspicious processes that use lsass.exe are recorded.


Processes that call "lsass.exe" for legal activities can be excluded to achieve more effective results.

Sysmon output: