Detect Mimikatz Using Loaded Images
This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.
This content is not mapped to any local saved search. Add mapping
Detect Mimikatz Using Loaded Images Help
This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named
Open in Search