nasbench
commented
3 weeks ago We keep both as the mimikatz keyword can also be relevant for other type of sigs
Closed ruppde closed 3 weeks ago
nasbench
commented
3 weeks ago We keep both as the mimikatz keyword can also be relevant for other type of sigs
Shorten AV string "Mimikatz" to "mikatz" because of "HackTool:Win32/Mikatz"
Microsoft also uses HackTool:Win32/Mikatz, e.g. 1b441fde04d361a6fd7fbd83e969014622453c263107ce2bed87ad0bff7cf13f
update: Antivirus Hacktool Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz" update: Antivirus Password Dumper Detection - Add the string "mikatz" because of "HackTool:Win32/Mikatz" update: Relevant Anti-Virus Signature Keywords In Application Log - Add the string "mikatz" because of "HackTool:Win32/Mikatz"
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions