I want to create Application Device Control Policy to detect Mimikatz in memory, has our red teamers keep by passing SEP AV SONAR and Signatures.
Refernce for mimikatz https://securityriskadvisors.com/blog/detecting-in-memory-mimikatz/
Example scenario, mimikatz is spawned in the context of rundll32.exe, then always loads two specific DLL's (vaultcli.dll and wlanapi.dll). Is there a way to setup ADC to log and block process if proccess image loads both (vaultcli.dll and wlanapi.dll).
I have alredey tested where, monitor all processes, then if process loads codition either (vaultcli.dll and wlanapi.dll) then log event. In reality what is being logged is if process x spawns vaultcli.dll OR process X spawns wlanapi.dll. This is not very helpful since I have thousands of events generated.
Has anyone done this in SEP 14.x I have read numurous documentation and found no clear answer if this possible, I need help??