Thought this template might be helpful if you want to do this:

Rule {
Process {
Include AggregateMatch {
#Use this section for generic apps where you don't need to specify a command line
Include OBJECT_NAME { -v ** }
Exclude OBJECT_NAME {
-v "insert path here\\file.exe"
-v "insert path here\\file.exe"
-v "insert path here\\file.exe"
}
#Exclude McAfee signed processes
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}

Include AggregateMatch {
#Use this section for a single app where you need to specify one or more command lines to exclude. Duplicate this section for each. Anything added here must also be excluded in the top group.
Include OBJECT_NAME {
-v "insert path here\\file.exe"
}
Exclude PROCESS_CMD_LINE {
-v "*command line snippet1*"
-v "*command line snippet2*"
}
}
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "c:\\windows\\system32\\lsass.exe" }
Include -nt_access "!0x0010"
}
}
}

In the past, Mimikatz was not detected. I previously had ENS 10.6.1 in place and just completed an upgrade to ENS / ATP 10.7. I just completed testing using Mimikatz 2.2.0.

It appears that we are covered. I am not sure if 10.7 detects Mimikatz better or if it was a simple change to an existing Access Control Policy that was made previously (possibly both.)

Testing has been successful based on the following:

A “On Access Scan” or On Demand Scan using ENS 10,7 resulted in the file being immediately deleted.
Even the associated .DLL files were detected as Potentially Unwanted Programs.
I ran Mimikatz.exe from a CMD prompt (elevated or otherwise) and this was blocked based on the following Access Protection Rule: "Executing Mimikatz malware"

I need to understand the role of LSASS  better and I will look into this.

Thank you.

Just be careful with that APR.  I *think* it only triggers on the file name "mimikatz.exe"  

Dave

Thank you as always...I will follow up with McAfee as well.

Regards.

I know the April 10.7 update has bug that breaks the scheduling of an On Demand scan...

Ragrards.