From 2d0c08cc8b63d7b8a2f89454eada23b3114ebd58 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Tue, 21 May 2019 01:03:20 +0200
Subject: [PATCH] Added wildcards to rule values

These values appear somewhere in a log message, therefore wildcards are
required.
---
 .../builtin/win_alert_mimikatz_keywords.yml      | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
index 5a1152c12..fe114d875 100644
--- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml
+++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml
@@ -10,14 +10,14 @@ logsource:
     product: windows
 detection:
     keywords:
-        - mimikatz
-        - mimilib
-        - <3 eo.oe
-        - eo.oe.kiwi
-        - privilege::debug
-        - sekurlsa::logonpasswords
-        - lsadump::sam
-        - mimidrv.sys
+        - "* mimikatz *"
+        - "* mimilib *"
+        - "* <3 eo.oe *"
+        - "* eo.oe.kiwi *"
+        - "* privilege::debug *"
+        - "* sekurlsa::logonpasswords *"
+        - "* lsadump::sam *"
+        - "* mimidrv.sys *"
     condition: keywords
 falsepositives:
     - Naughty administrators