Mimikatz Defend

Mimikatz Defend#

Hardening and detection recipes the operator turns to when defending Windows estates against Mimikatz abuse.

Mimikatz defense#

Disable debug permissions. Allow only a chosen group.

Group Policy Management Editor -> Windows Settings -> Security Settings
    -> Local Policies -> User Rights Assignment -> Debug programs
    -> Define these policy settings

Disable WDigest protocol (do not allow plaintext passwords in LSASS).

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential = DWORD 0

Enable LSA protection.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
RunAsPPL = DWORD 1

Restricted Admin Mode.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
DisableRestrictedAdmin            = DWORD 0
DisableRestrictedAdminOutboundCreds = DWORD 1

Ensure “Restrict delegation of credentials to remote servers” policy is enforced across the domain. Require Restricted Admin.

Change credential caching to 0 to disallow caching.

Computer Configuration -> Windows Settings -> Local Policy
    -> Security Options -> Interactive Logon: Number of previous
    logons to cache -> 0

Enable Protected Users Group. Domain admins can add accounts to the “Protected Users” group from PowerShell.

Add-ADGroupMember -Identity 'Protected Users' -Members Alice

Detect Mimikatz#

Sysmon Event 10 (Process Accessed) Splunk query.

EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")

Windows Event 4656 Splunk query.

EventCode=4656 OR EventCode=4663 | eval
HandleReq=case(EventCode=4656 AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A", Process_ID)
| where (HandleReq=Process_ID)

# or
EventCode=4656 | where (Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A")

Sysmon Event 1 (ProcessCreate) and Event 10 (ProcessAccessed) correlation.

1. EventCode=1  | where (match(ParentImage, "cmd.exe") AND match(IntegrityLevel, "high"))
2. EventCode=10 | where (match(GrantedAccess, "0x1010") AND !match(SourceImage, "svchost\.exe")
                         AND match(TargetImage, "lsass\.exe"))

References#