title: Mimikatz In-Memory Detection
status: experimental
description: Detects certain DLL loads when Mimikatz gets executed
reference: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
logsource:
    product: windows
    service: sysmon
detection:
    selector:
        EventID: 7
        Image: 'C:\Windows\System32\rundll32.exe'
    dllload1:
        ImageLoaded: '*\vaultcli.dll'
    dllload2:
        ImageLoaded: '*\wlanapi.dll'        
    exclusion:
        ImageLoaded:
            - 'ntdsapi.dll'
            - 'netapi32.dll'
            - 'imm32.dll'
            - 'samlib.dll'
            - 'combase.dll'
            - 'srvcli.dll'
            - 'shcore.dll'
            - 'ntasn1.dll'
            - 'cryptdll.dll'
            - 'logoncli.dll'
    timeframe: last 30s
    condition: selector | dllload1 and dllload2 and not exclusion
falsepositives:
    - unknown
level: medium