Strings in EVTX files not matching
dfirtnt opened this issue · 1 comments
dfirtnt commented
I am using the -p option to scan triage collections from endpoints suspected of compromise. I have a few events which include the terms mimkatz and sekurlsa. However, these are not being caught by LOKI even though these strings appear in the keywords.txt file. Why is this?
My command is: loki.exe -p <> --noprocscan
Are the keywords only used against running processes?
Neo23x0 commented
File size limits.
Better use THOR Lite. In our professional scanner, we parse Windows Eventlogs and apply YARA rules, keywords etc.