1. David Veuve

    FYI, this detection does not really work anymore. It is based on legacy tools (old old old mimikatz), and hasn’t worked reliably in close to 3 years.

    1. Anup

      Its getting tougher with different modules of mimitakz and one of the issues around implementing & writing the query is the data source. Looking only at the event codes is not that helpful unless you can correlate with the endpoint logs.

Leave A Comment?