sysmon-config
sysmon-config copied to clipboard
Adding GrantedAccess filter for catching credential dump.
Modification: Under <ProcessAccess> group add: <GrantedAccess condition="is">0x1010</GrantedAccess>
That will catch when tools like mimikatz trigger a credential dump.