Mimikatz Defend#
Hardening and detection recipes the operator turns to when defending Windows estates against Mimikatz abuse.
Mimikatz defense#
Disable debug permissions. Allow only a chosen group.
Group Policy Management Editor -> Windows Settings -> Security Settings
-> Local Policies -> User Rights Assignment -> Debug programs
-> Define these policy settings
Disable WDigest protocol (do not allow plaintext passwords in LSASS).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential = DWORD 0
Enable LSA protection.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
RunAsPPL = DWORD 1
Restricted Admin Mode.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
DisableRestrictedAdmin = DWORD 0
DisableRestrictedAdminOutboundCreds = DWORD 1
Ensure “Restrict delegation of credentials to remote servers” policy is enforced across the domain. Require Restricted Admin.
Change credential caching to 0 to disallow caching.
Computer Configuration -> Windows Settings -> Local Policy
-> Security Options -> Interactive Logon: Number of previous
logons to cache -> 0
Enable Protected Users Group. Domain admins can add accounts to the “Protected Users” group from PowerShell.
Add-ADGroupMember -Identity 'Protected Users' -Members Alice
Detect Mimikatz#
Sysmon Event 10 (Process Accessed) Splunk query.
EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")
Windows Event 4656 Splunk query.
EventCode=4656 OR EventCode=4663 | eval
HandleReq=case(EventCode=4656 AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A", Process_ID)
| where (HandleReq=Process_ID)
# or
EventCode=4656 | where (Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A")
Sysmon Event 1 (ProcessCreate) and Event 10 (ProcessAccessed) correlation.
1. EventCode=1 | where (match(ParentImage, "cmd.exe") AND match(IntegrityLevel, "high"))
2. EventCode=10 | where (match(GrantedAccess, "0x1010") AND !match(SourceImage, "svchost\.exe")
AND match(TargetImage, "lsass\.exe"))