
Yara Rules Strings: Statistical Study - based2
http://yararules.com/2017/04/06/yara-rules-strings-statistical-study/
======
brownbat
Fascinating.

I was curious which .exes were not just hijacked legit .exe names. The first
.exe file that's not a normal windows executable is "mshtaex.exe" which seems
to be a disguised (or possibly mistyped) version of the legitimate
"mshta.exe".

Mimikatz slips in the bottom of the list though. If someone's invoking
mimikatz on your systems, that should stick out...

