Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.47k stars 604 forks source link

False positive in hacktool_windows_mimikatz_modules rule? #272

Open jcrg-rj opened 1 year ago

jcrg-rj commented 1 year ago

Hello, I'm using Loki to scan a memory dump and in some processes the information below is identified. Can you help me with this, what to consider in this case?

[WARNING] FILE: d:\name\System-4\files\modules\klupd_Kaspersky4Win-21-13_arkmon.sys SCORE: 70 TYPE: EXE SIZE: 345600 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / <filter object at 0x000002014EA1DAE0> MD5: e2987cf2e240fee721f05e0fe5207319 SHA1: 88104729caa79ad9e2ce6ce3b15335ae42c948d1 SHA256: 868ea7aeeffc822683a81f60a3a3d927328f80c39e050737ee8690b1aa1108fa CREATED: Sun Jul 23 17:34:44 2023 MODIFIED: Sun Jul 23 17:34:44 2023 ACCESSED: Sun Jul 23 17:34:44 2023 REASON_1: Yara Rule MATCH: hacktool_windows_mimikatz_modules SUBSCORE: 70 DESCRIPTION: Mimikatz credential dump tool: Modules REF: https://github.com/gentilkiwi/mimikatz AUTHOR: @fusionrace MATCHES: $s2: 'mimidrv

Using Die (Detect It Easy) the following strings are identified in the klupd_Kaspersky4Win-21-13_arkmon.sys file:

Offset Size String Type 00032f10 09 A mimidrv.a 00032f20 13 A *\AMD64\MIMIDRV.PDB 00032f40 0f A \Device\mimidrv