通过监测DLL调用探测Mimikatz 通过Sysmon的-l参数可以探测到DLL加载(ImageLoaded): REF: https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
