You "try" to detect mimikatz
This is 2019 and you still “try” to detect mimikatz. “Try”, because after many years, this post exploitation tool continues to be successful.
As a contributor to mimikatz and also a blue team guy, I’m asking myself why antivirus vendors are unable to catch it after many years. How can a tool be blocked if nobody does not know what this tool is doing? Because surprisingly, it is known only for credential collection but mimikatz is a lot more. To mitigate the lack of antivirus vendor, should we buy new fancy EDR tool or try a technical approach? Apply a Framework? Rely on Compliance? Use a SIEM to collect logs and apply correlation? In sumarry, can we detect mimikatz? In this presentation we will try to understand why mimikatz has such power and especially some weakness related to credential gathering and active directory will be exposed.