Invoke_mimikatz alert about loki HOT 7 CLOSED

I'll apply it to files only by setting a "filesize" in the condition of this rule. This should help.

from loki.

The rule that triggered was the following one

rule Invoke_Mimikatz {
	meta:
		description = "Detects Invoke-Mimikatz String"
		author = "Florian Roth"
		reference = "https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz"
		date = "2016-08-03"
	strings:
		$x1 = "Invoke-Mimikatz" wide fullword
	condition:
      1 of them
}

I suppose that the "SearchProtocolHost.exe" process started indexing the LOKI signature files on disk and that's why the "Invoke-Mimikatz" keyword made its way into memory of that process.

from loki.

Is there a way to fix that behaviour or maybe should I tune some false positive Yara rule? thank you for your support

from loki.

Sorry for the late reply. I would simply filter out this specific alert where you analyze the results.

from loki.

How to ensure that are false positives ? Code improvement ?

from loki.

If it's SearchProtocolHost.exe and the Invoke_Mimikatz YARA rule matching on that process memory than it is most likely a false positive. I could change the code and exclude some rules from process memory matching. Low prio task.

from loki.

I can confirm that this was triggered also while doing the scan. IMHO, would be useful to have this at least in the documentation somewhere as "Possible FPs".

from loki.