Neo23x0/Loki

Strings in EVTX files not matching

dfirtnt opened this issue · 1 comments

I am using the -p option to scan triage collections from endpoints suspected of compromise. I have a few events which include the terms mimkatz and sekurlsa. However, these are not being caught by LOKI even though these strings appear in the keywords.txt file. Why is this?

My command is: loki.exe -p <> --noprocscan

Are the keywords only used against running processes?

File size limits.
Better use THOR Lite. In our professional scanner, we parse Windows Eventlogs and apply YARA rules, keywords etc.