Have a rather long query for detecting mimikatz operations and it is triggering a false positive in an unexpected way, the portion of the query in question is:
( … “* p::d *” …)
The ellipses are just placeholders, but the brackets and double-quotes are verbatim. My understanding is that the query is trying to match “privilege::debug” but I find it is also matching something else that exists organically in our environment which begins with:
ForFiles /p D:
Had to turn on highlighting to find that it is matching the p D.
Further testing reveals that “* p::d *” and “*p\:\:d *” also match the above - so I think it’s a combination of the quotes and colons.