How to detect Mimikatz

This article will analyze the behavior of tools that need to be read from the memory of the Lsass.exe process in order to steal valuable accounting information. The author will investigate the behavior of Mimikatz while working as a stand-alone executable file and while working from memory (without a file script).

In the end, develop discovery artifacts (IOC, correlation rules, other signatures, etc.) that will allow us to capture most of the tricks used by the wizards of powershellmafia.

You can see in this article with the results of the work done. The next article will continue to explore other artifacts left after Mimikatz has been executed in memory, as well as what types of events are generated by tools like Invoke-Credential Injection.

More.

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.