These are tools for helping to detect execution of mimikatz using Sysmon logs. We focus on dlls loaded by mimikatz. Our research details is the following.
HITCON Community 2017 DAY 2 (8/26): Tracking mimikatz by Sysmon and Elasticsearch.
We provide the DLL Lists for helping mimikatz detection.
https://github.com/sisoc-tokyo/mimikatz_detection/tree/master/DLLLists
- DLLlist_{environment name}-mimi{yyyymmdd}.csv: DLL Lists loaded by mimikatz in specific environment
- CommonDLLlist.csv: DLL Lists that is commonly loaded regardless of Windows and mimikatz versions
- AllDLLs.csv: All results of mimikatz DLL loading of all tested Windows and mimikatz versions
We provide the following tools.
- Tools to create Common DLL List from exported event logs and detect processes that matches the Common DLL List (Java)
https://github.com/sisoc-tokyo/mimikatz_detection/tree/master/javaTool
- A tool to detect processes that matches Common DLL List from Elasticsearch results (Python 3)
https://github.com/sisoc-tokyo/mimikatz_detection/tree/master/pythonTool
Before using our tools, you should procees the following steps.
-
Install sysmon and gather event logs on the computer which you want to investigate. Please make sure that Event Id 7:Image loaded are recorded.
-
To know the details of tools, please refer README for each tool.
Published by Wataru Matsuda & Mariko Fujimoto