Detecting Mimikatz in Lateral Movements Using Windows API Call Sequence Analysis
- Resource Type
- Conference
- Authors
- Elgohary, Nader; Abdelbaki, Nashwa
- Source
- 2022 4th Novel Intelligent and Leading Emerging Sciences Conference (NILES) Novel Intelligent and Leading Emerging Sciences Conference (NILES), 2022 4th. :306-310 Oct, 2022
- Subject
- Bioengineering
Communication, Networking and Broadcast Technologies
Components, Circuits, Devices and Systems
Computing and Processing
Engineered Materials, Dielectrics and Plasmas
Power, Energy and Industry Applications
Robotics and Control Systems
Signal Processing and Analysis
Sequences
Real-time systems
APT
Credentials Theft
Mimikatz Lateral Movements
Mimikatz
Windows API Sequence Analysis
- Language
Advanced Persistent Threat (APT) is classified as a high threat stealthy attack on modern networks. It uses sophisticated techniques, which makes it very challenging to be detected. It can remain undetectable for an extended period by gaining unauthorized access and lateral movements in the target network. Depending on the APT group tools, responding to the initiated attack can be challenging and composite. Mimikatz is a credential theft tool used in many APT attacks to achieve their objectives. It calls Windows APIs in a particular order during the execution time. This makes the APT group vulnerable to being detected during lateral movements inside the targeted network. This paper focuses on APT detection and lateral movement of Mimikatz using Windows API sequence call. The primary objective is to decrease the detection time of any Mimikatz version in the network through real-time monitoring of the Windows API Calls Sequence Analysis. This study proves that APT attacks can be detected when they move inside the victim's environment.