Artikel in der Kategorie "Threat Hunting" :
The new (as of 10.05.2017) version of mimilib (a DLL with a subset of mimikatz features) supports the DNS serverlevel plugin API and the DHCP server Callout plugin API. In this post I will quickly cover how to inject the DLL into DHCP service and how to detect it using Windows Eventlogs and Sysmon.
The Windows DNS Server management protocol, which is based on RPC, allows DnsAdmins and higher privileged Users to load arbitary dlls as plugins into the DNS service via DnssrvOperation2. Here's how to monitor for that event.
Mimikatz is extensively using OpenProcess to access credentials and patch processes. This event can be monitored with sysmon (EventID 10). Here's a list of GrantedAccess values you can monitor.