Monday, February 13, 2017

Hunting Mimikatz launched by PowerShell


Following my last post about how to hunt for malicious PowerShell commands, I'm interested to detect Mimikatz once it is launched through PowerShell, like for example with PowerShellEmpire framework. Mark Russinovich has just written that in order to detect Mimikatz you must monitor lsass.exe for process access.



So basically, I have created a simple filter in sysmon for event code 10 (ProcessAccess) with SourceImage PowerShell.exe and TargetImage lsass.exe





<ProcessAccess onmatch="include">
 <SourceImage condition="contains">powershell.exe</SourceImage>
 <TargetImage condition="contains">lsass.exe</TargetImage>
</ProcessAccess>
 
  

Now it is time to test if it works. 
So I use the Mimikatz module in PowerShellEmpire






In Splunk I detect the initial encoded PowerShell Command

 

After a few seconds I run a SPL query to see when the PowerShell.exe command accesses the process lsass.exe, which it is when mimikatz is executed :)