Added wildcards to rule values

These values appear somewhere in a log message, therefore wildcards are required.
2019-05-21 01:03:20 +02:00
parent 194afa739f
commit 2d0c08cc8b
1 changed files with 8 additions and 8 deletions
@@ -10,14 +10,14 @@ logsource:
    product: windows
 detection:
    keywords:
-        - mimikatz
-        - mimilib
-        - <3 eo.oe
-        - eo.oe.kiwi
-        - privilege::debug
-        - sekurlsa::logonpasswords
-        - lsadump::sam
-        - mimidrv.sys
+        - "* mimikatz *"
+        - "* mimilib *"
+        - "* <3 eo.oe *"
+        - "* eo.oe.kiwi *"
+        - "* privilege::debug *"
+        - "* sekurlsa::logonpasswords *"
+        - "* lsadump::sam *"
+        - "* mimidrv.sys *"
    condition: keywords
 falsepositives:
    - Naughty administrators