The below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS.
- Mimikatz can remove these flags using a custom driver called mimidriver.
- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.
Some techniques may involve loading lsasrv.dll or wdigest.dll to extract credentials and may be caught if this is loaded legitimately using:
tasklist /m wdigest.dll
tasklist /m lsasrv.dll
You may be able to detect changes to the below registry keys which can be used to load an arbitrary DLL and extract credentials, more information from Adam Chester
Check running executables for malware via VirusTotal
Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried
Registry Indicators
Check Registry for IE Enhanced Security Modification
Check Registry for disabling of UAC (1=UAC Disabled)
Review Software Keys for malicious entries
Scan Registry keys for specified text
Suspicious Files
Find files without extensions
Persistent file locations of interest
You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:
Locate LNK Files with a particular string (Special thanks to the notorious)
Master File Table
The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This contains an entry for every file or directory on the filesystem including metadata about these files, and may provide evidence on files which have been removed (MFT entries marked as ‘free’). More information can be found on Microsoft Docs
Determine Timestomping
Within the Master File Table (Located at the Win root) there are 2 elements, $STANDARD_INFORMATION and $FILE_NAME, both of which have values for a file being created, modified, accessed and written.
These are known as MACB times (Modified, Accessed, Changed, Birth). The $STANDARD_INFORMATION element can be modified from a malicious process, but the $FILE_NAME element is left intact and cannot without some extra trickery.
These discrepancies generally indicate Timestomping with the $FILE_NAME entry being the source of truth. This can be determined by obtaining the MFT (e.g. using a tool such as Rawcopy), and comparing timestamps on the file (e.g. using a tool such as MFTExplorer).
Verify EternalBlue Patch (MS17-010) is installed - Microsoft
Note: This impacts the SMB 1.0 Server Driver, if you don’t have the below, then it’s not installed. If you do you can use the above to determine patch level.
More information on ACE Strings and the level of access they can provide.
Lateral Movement Checks
Map Network Shares Lateral Movement Detection (Destinations)
PsExec Lateral Movement Detection (Destinations)
Scheduled Tasks Lateral Movement Detection (Destinations)
Services Lateral Movement Detection (Destinations)
WMI/WMIC Lateral Movement Detection (Destinations)
PowerShell Lateral Movement Detection (Destinations)