Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
Read MoreDetects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Read MoreDetects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
Read MoreDetects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
Read MoreDetects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference
Read MoreDetects a possible process memory dump based on a keyword in the file name of the accessing process
Read MoreThis method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Read MoreDetects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Read MoreDetects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Read MoreMimikatz through Windows Remote Management
Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
Read More