thomaspatzke
commented
5 years ago The near operator is currently not supported by the backends and therefore the exclusion list from the rule doesn't applies to the generated query.
Closed ipninichuck closed 5 years ago
thomaspatzke
commented
5 years ago The near operator is currently not supported by the backends and therefore the exclusion list from the rule doesn't applies to the generated query.
I am currently using Sigmac with -t xpack-watcher -c helk.yml for the rule sysmon_mimikatz_inmemory_detection.yml. I noticed in the rule that it has an exclusion list. Unless I misunderstand the rule these images should not be matched against for positives(condition: selector | near dllload1 and dllload2 and not exclusion). However, when the watch is created the query does not exclude these values, and thus I had them show up in the data retrieved. I read the source article and it seems those values were eliminated from matching images when new types of mimikatz were identified. The system being monitored is Windows 10 with the detection occuring this Month. I would assume that the newer conditions would apply. I am pretty sure that this is a false positive, unless I misunderstand how the rule.