Block Mimikatz: OS Level Protection

TL;DR

Mimikatz is a powerful tool used to steal credentials from Windows systems. This guide shows you how to block it using various OS-level techniques, including AppLocker, Software Restriction Policies (SRP), and process monitoring. These methods prevent Mimikatz from running and help protect your system.

Blocking Mimikatz on the OS Level

1. Understand the Threat: Mimikatz works by accessing sensitive information stored in memory, specifically LSASS (Local Security Authority Subsystem Service). Blocking its execution is a key defensive measure.
2. AppLocker (Recommended – Windows 10/Server 2016 and later): AppLocker provides granular control over which applications can run.
   • Open Local Security Policy: Press Win + R, type secpol.msc, and press Enter.
   • Navigate to Application Control Policies > AppLocker: Expand this section in the left pane.
   • Create a New Rule Collection: Right-click on Executable Rules and select ‘Create New Rule’.
   • Permissions: Choose ‘Deny’ for the permission type.
   • Conditions: Configure conditions to block Mimikatz.
     • Publisher: Block based on the publisher certificate (if known). This is the most reliable method if you have the certificate details.
     • Path: Block by file path (e.g., C:WindowsTempmimikatz.exe). Be aware this can be bypassed if Mimikatz changes location.
     • File Hash: Block based on the file hash. This is very specific but requires updating the rule if the Mimikatz file changes.
   • Name: Give the rule a descriptive name (e.g., ‘Block Mimikatz’).
   • Repeat for other relevant locations/hashes.
3. Software Restriction Policies (SRP) (Older Windows Versions): SRP is an older method but still effective on systems without AppLocker.
   • Open Local Security Policy: Press Win + R, type secpol.msc, and press Enter.
   • Navigate to Security Settings > Software Restriction Policies: Expand this section in the left pane.
   • Create New Rules: Right-click on Enforcement and select ‘New Software Restriction Rule’.
   • Rule Type: Choose ‘Path’ or ‘Hash’. ‘Path’ is less secure than ‘Hash’.
   • Path: Specify the path to Mimikatz (e.g., C:WindowsTempmimikatz.exe).
   • Hash: Provide the SHA1 hash of the Mimikatz file.

     Get-FileHash C:WindowsTempmimikatz.exe -Algorithm SHA1

   • Name: Give the rule a descriptive name (e.g., ‘Block Mimikatz’).
4. Process Monitoring & Blocking with Sysmon: Sysmon can detect and log process creation events, allowing you to block suspicious processes.
   • Download and Configure Sysmon: Download Sysmon from the Microsoft website and configure it using an XML configuration file.
   • Create a Rule to Block Mimikatz: Add a rule in your Sysmon configuration that detects process creation events with the image path matching Mimikatz.

     <ImagePath condition="contains('mimikatz.exe')">

   • Monitor Event Logs: Monitor the Sysmon event logs for blocked processes and investigate any suspicious activity.
5. LSASS Protection (Important Complement): While not directly blocking Mimikatz, protecting LSASS makes credential theft harder.
   • Enable Protected Memory: This prevents unauthorized access to the LSASS process memory.

     kmode plprotect /enable

   • Configure Audit Policies: Enable auditing for successful and failed logon events. This helps detect potential credential theft attempts.
6. Regular Updates & Scanning: Keep your operating system, antivirus software, and security tools up to date.