Neo23x0 / Loki

Loki - Simple IOC and YARA Scanner
https://www.nextron-systems.com/compare-our-scanners/
GNU General Public License v3.0
3.4k stars 583 forks source link

False positive in hacktool_windows_mimikatz_modules rule? #240

Closed jcrg-rj closed 1 year ago

jcrg-rj commented 1 year ago

Hello,

I'm using Loki to scan a memory dump and in some processes the information below is identified. Can you help me with this, what to consider in this case?

[WARNING] FILE: d:\name\System-4\files\modules\klupd_Kaspersky4Win-21-13_arkmon.sys SCORE: 70 TYPE: EXE SIZE: 345600 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / <filter object at 0x000002014EA1DAE0> MD5: e2987cf2e240fee721f05e0fe5207319 SHA1: 88104729caa79ad9e2ce6ce3b15335ae42c948d1 SHA256: 868ea7aeeffc822683a81f60a3a3d927328f80c39e050737ee8690b1aa1108fa CREATED: Sun Jul 23 17:34:44 2023 MODIFIED: Sun Jul 23 17:34:44 2023 ACCESSED: Sun Jul 23 17:34:44 2023 REASON_1: Yara Rule MATCH: hacktool_windows_mimikatz_modules SUBSCORE: 70 DESCRIPTION: Mimikatz credential dump tool: Modules REF: https://github.com/gentilkiwi/mimikatz AUTHOR: @fusionrace MATCHES: $s2: 'mimidrv

Using Die (Detect It Easy) the following strings are identified in the klupd_Kaspersky4Win-21-13_arkmon.sys file:

Offset Size String Type 00032f10 09 A mimidrv.a 00032f20 13 A *\AMD64\MIMIDRV.PDB 00032f40 0f A \Device\mimidrv

Neo23x0 commented 1 year ago

fixed in https://github.com/Neo23x0/signature-base/pull/276