Detects process access to LSASS memory with suspicious access flags

Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder

Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.

Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)

Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools

Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference

Detects a possible process memory dump based on a keyword in the file name of the accessing process

Detects Mimikatz DC sync security events

This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.

Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.