cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best way to detect Mimikatz

Jump to solution

Hello,

Can someone please point me in the right direction regarding the following?

Is it possible to block the execution of Mimikatz using ENS 10.7? If so, what component of ENS would be required (Access Protection, Exploit Prevention) and what are the steps necessary to test and implement these controls?

Mimikatz Exploit Prevention rules are in place to report on the following events, and no activity has occurred. 

6122
6117
6116

6078

Are there other options available with ENS or are the default Exploit Prevention Rules the best option to use. I also have AMSI rules enabled in Observe Mode because of the potential impact with legitimate PowerShell Scripts.

Thank you.

1 Solution

Accepted Solutions
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Best way to detect Mimikatz

Jump to solution

Hi @Glenn_Bolton,

Good day to you!

Apart from the exploit prevention rules and AMSI, you can block the Mimikatz execution using the Access protection rule "Executing Mimikatz malware" which is enabled by default.

In addition to that, we suggest you go through the below article which provides you with the countermeasures for entry vector threats.

https://kc.mcafee.com/corporate/index?page=content&id=KB91836

Mimikatz is a post-exploitation tool, hence it is always recommended to keep your environment updated with the latest security patches, DAT/AMcore contents, updating the user password once in a month to stay on the safer side.

We would also recommend using the McAfee ATP module which can help in identifying and blocking any unknown file that has entered your environment.

Here is the link which explains how the ATP works and could help you to prevent your environment from unknown malware

https://docs.mcafee.com/bundle/endpoint-security-10.5.0-adaptive-threat-protection-product-guide-epo...

Demo:

https://www.youtube.com/watch?v=3d6GyuIhiII&t=13s

I hope this helps!

Thanks,

AJ

View solution in original post

7 Replies
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Best way to detect Mimikatz

Jump to solution

Hi @Glenn_Bolton,

Good day to you!

Apart from the exploit prevention rules and AMSI, you can block the Mimikatz execution using the Access protection rule "Executing Mimikatz malware" which is enabled by default.

In addition to that, we suggest you go through the below article which provides you with the countermeasures for entry vector threats.

https://kc.mcafee.com/corporate/index?page=content&id=KB91836

Mimikatz is a post-exploitation tool, hence it is always recommended to keep your environment updated with the latest security patches, DAT/AMcore contents, updating the user password once in a month to stay on the safer side.

We would also recommend using the McAfee ATP module which can help in identifying and blocking any unknown file that has entered your environment.

Here is the link which explains how the ATP works and could help you to prevent your environment from unknown malware

https://docs.mcafee.com/bundle/endpoint-security-10.5.0-adaptive-threat-protection-product-guide-epo...

Demo:

https://www.youtube.com/watch?v=3d6GyuIhiII&t=13s

I hope this helps!

Thanks,

AJ

View solution in original post

Re: Best way to detect Mimikatz

Jump to solution

The Sept release of ENS with the beta RealProtect content (going prod soon)  offers the new credential theft protection feature,  which should help, but i personally haven't done any efficacy testing. 

The absolute safest thing to do is write a rule that blocks anything from reading lsass unless you explicitly allow it.   It takes a bit of effort to get going,  but is highly effective. 

Dave 

Re: Best way to detect Mimikatz

Jump to solution

Thought this template might be helpful if you want to do this:

 

Rule {
Process {
Include AggregateMatch {
#Use this section for generic apps where you don't need to specify a command line
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME {
-v "insert path here\\file.exe"
-v "insert path here\\file.exe"
-v "insert path here\\file.exe"
}
#Exclude McAfee signed processes
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}

Include AggregateMatch {
#Use this section for a single app where you need to specify one or more command lines to exclude. Duplicate this section for each. Anything added here must also be excluded in the top group.
Include OBJECT_NAME {
-v "insert path here\\file.exe"
}
Exclude PROCESS_CMD_LINE {
-v "*command line snippet1*"
-v "*command line snippet2*"
}
}
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "c:\\windows\\system32\\lsass.exe" }
Include -nt_access "!0x0010"
}
}
}

Re: Best way to detect Mimikatz

Jump to solution

In the past, Mimikatz was not detected. I previously had ENS 10.6.1 in place and just completed an upgrade to ENS / ATP 10.7. I just completed testing using Mimikatz 2.2.0.

It appears that we are covered. I am not sure if 10.7 detects Mimikatz better or if it was a simple change to an existing Access Control Policy that was made previously (possibly both.)

Testing has been successful based on the following:

A “On Access Scan” or On Demand Scan using ENS 10,7 resulted in the file being immediately deleted.
Even the associated .DLL files were detected as Potentially Unwanted Programs.
I ran Mimikatz.exe from a CMD prompt (elevated or otherwise) and this was blocked based on the following Access Protection Rule: "Executing Mimikatz malware"

I need to understand the role of LSASS  better and I will look into this.

Thank you.

Re: Best way to detect Mimikatz

Jump to solution

Just be careful with that APR.  I *think* it only triggers on the file name "mimikatz.exe"  

 

Dave

Re: Best way to detect Mimikatz

Jump to solution

Thank you as always...I will follow up with McAfee as well.

Regards.

Re: Best way to detect Mimikatz

Jump to solution

I know the April 10.7 update has bug that breaks the scheduling of an On Demand scan...

Ragrards.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community