False positive in hacktool_windows_mimikatz_modules rule?

Question

False positive in hacktool_windows_mimikatz_modules rule?

jcrg-rj opened this issue a year ago · 1 comments

Hello,

I'm using Loki to scan a memory dump and in some processes the information below is identified. Can you help me with this, what to consider in this case?

[WARNING]
FILE: d:\name\System-4\files\modules\klupd_Kaspersky4Win-21-13_arkmon.sys SCORE: 70 TYPE: EXE SIZE: 345600
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / <filter object at 0x000002014EA1DAE0>
MD5: e2987cf2e240fee721f05e0fe5207319
SHA1: 88104729caa79ad9e2ce6ce3b15335ae42c948d1
SHA256: 868ea7aeeffc822683a81f60a3a3d927328f80c39e050737ee8690b1aa1108fa CREATED: Sun Jul 23 17:34:44 2023 MODIFIED: Sun Jul 23 17:34:44 2023 ACCESSED: Sun Jul 23 17:34:44 2023
REASON_1: Yara Rule MATCH: hacktool_windows_mimikatz_modules SUBSCORE: 70
DESCRIPTION: Mimikatz credential dump tool: Modules REF: https://github.com/gentilkiwi/mimikatz AUTHOR: @fusionrace
MATCHES: $s2: 'mimidrv

Using Die (Detect It Easy) the following strings are identified in the klupd_Kaspersky4Win-21-13_arkmon.sys file:

Offset Size String Type
00032f10 09 A mimidrv.a
00032f20 13 A *\AMD64\MIMIDRV.PDB
00032f40 0f A \Device\mimidrv

Answer 1 · 2023-07-26T18:42:18.000Z

fixed in Neo23x0/signature-base#276