Detect Mimikatz Via PowerShell And EventCode 4663
This search looks for PowerShell reading lsass memory consistent with credential dumping.
This content is not mapped to any local saved search. Add mapping
Detect Mimikatz Via PowerShell And EventCode 4663 Help
This search looks for Windows Event Code(signature_id) 4663 (object access), where the process performing the access is PowerShell.exe, the target process of the access is lsass.exe, and the access mask is given as 0x10. This is consistent with the use of PowerShell to execute Mimikatz using sekurlsa::logonpasswords. It will return the host where the activity occurred, the process and associated id, the enabled privilege, and the message in the event.