I am currently using Sigmac with -t xpack-watcher -c helk.yml for the rule sysmon_mimikatz_inmemory_detection.yml. I noticed in the rule that it has an exclusion list. Unless I misunderstand the rule these images should not be matched against for positives(condition: selector | near dllload1 and dllload2 and not exclusion). However, when the watch is created the query does not exclude these values, and thus I had them show up in the data retrieved. I read the source article and it seems those values were eliminated from matching images when new types of mimikatz were identified. The system being monitored is Windows 10 with the detection occuring this Month. I would assume that the newer conditions would apply. I am pretty sure that this is a false positive, unless I misunderstand how the rule.
I am currently using Sigmac with -t xpack-watcher -c helk.yml for the rule sysmon_mimikatz_inmemory_detection.yml. I noticed in the rule that it has an exclusion list. Unless I misunderstand the rule these images should not be matched against for positives(condition: selector | near dllload1 and dllload2 and not exclusion). However, when the watch is created the query does not exclude these values, and thus I had them show up in the data retrieved. I read the source article and it seems those values were eliminated from matching images when new types of mimikatz were identified. The system being monitored is Windows 10 with the detection occuring this Month. I would assume that the newer conditions would apply. I am pretty sure that this is a false positive, unless I misunderstand how the rule.