NagaShield Security
Back to blog
Technical 4 min 29 April 2026

Blue Team Use Case — Detecting Mimikatz

BlueTeam SOC Mimikatz Sigma ThreatDetection
Share LinkedIn X / Twitter

Mimikatz remains the go-to tool for credential theft today.


👉 According to the Mandiant M-Trends 2026 report: 80% of breaches involve credential dumping.


Once credentials are compromised:

→ the attacker becomes "legitimate"

→ they can move laterally

→ they access critical systems


Early detection is therefore essential.

80%

of breaches involve credential dumping

Average dwell time: 16 days — Average breach cost: ~$4.8M

Source: Mandiant M-Trends 2026

Implementing these detection rules takes less than 30 minutes — and can stop an attack before exfiltration.

⚙️1. Suspicious Processes

👉 Sysmon Event ID 1 — process creation.

  • Detection of sekurlsa::logonpasswords commands
  • Suspicious command-line arguments
  • Known Mimikatz binaries or hashes (even obfuscated)

🔍2. Abnormal LSASS Access

👉 Sysmon Event ID 10 — critical memory access.

  • Any non-system process accessing lsass.exe
  • GrantedAccess 0x1FFFFF = full memory access
  • Most reliable signal for in-memory Mimikatz

🌐3. Lateral Movement

👉 Event ID 4624 / 4648 — suspicious connections.

  • Connections using Pass-the-Hash (NTLMv1)
  • Abnormal Kerberos ticket (Pass-the-Ticket)
  • Admin connections from unusual hosts

📋4. Alerts and Correlation

👉 SIEM: correlate events.

  • Sigma rules integrated into your SIEM
  • Real-time alerts on LSASS access
  • Correlation with suspicious admin connections
Sigma Rule — LSASS Access Detection

To integrate into your monitoring rules (Splunk, Elastic, Microsoft Sentinel):

detection:

selection:

EventType: Access

TargetImage: C:\Windows\system32\lsass.exe

GrantedAccess: '0x1FFFFF'

condition: selection

👉 Detects full memory access to LSASS — the characteristic signature of Mimikatz.

🚨

📚 Real Case — Banking SOC (January 2026)

Mimikatz identified and stopped before exfiltration

🔔

Detection

Sigma rule — LSASS access

⏱️

Response time

12 minutes

🛑

Result

Attack stopped before exfiltration

📅

Without detection

Average dwell time: 16 days

🧠 Key Takeaway

Detecting LSASS access is a fundamental part of an effective SOC.

✔ Low implementation cost

✔ Quick to deploy (< 30 minutes)

✔ High impact — stop before exfiltration

Resources: SigmaHQ · Sysmon (Microsoft) · Mandiant M-Trends 2026

Which rules do you use to detect Mimikatz? Sigma, Splunk, Elastic, other? Have you ever detected an attempt in production?

Share LinkedIn X / Twitter

Need personalised guidance?

NagaShield Security helps you implement these measures concretely, tailored to your organisation and budget.

Request a free diagnostic
🛡️

Besoin d'aide sur ce sujet ?

Pentest & Audit Technique

Voir le service →Devis gratuit

Related articles

Technical

Cisco SD-WAN: handling an actively exploited flaw with no patch (CVE-2026-20245)

4 min

Technical

I Secured My SSH in Less Than 10 Minutes. Here's Exactly What I Did.

4 min

Technical

I Set Up a PAM Foundation in 45 Minutes. Here's How — and Why.

4 min

Back to blog