github-actions[bot]
commented
1 year ago Welcome @Tuutaans :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
nasbench
Rule UUID
ccb5742c-c248-4982-8c5c-5571b9275ad3
Example EventLog
OriginalFileName: FINDSTR.EXE CommandLine: findstr /i "defender" LogonGuid: {8b59c806-0f5b-6532-93bb-1c0000000000} LogonId: 0x1CBB93 TerminalSessionId: 2 IntegrityLevel: Medium Hashes: SHA1=FDC776E1297D6E6FB31F8EB0E85771D886A18DC2,MD5=804A6AE28E88689E0CF1946A6CB3FEE5,SHA256=B29BE6DA54121F5D9350C545ECECCE26F30A7F209CE0D9AAEA8E00C27DDA27A2,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F ParentProcessGuid: {8b59c806-0f86-6532-f800-00000000d400} ParentProcessId: 2944 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe"
Description
When executed 'tasklist.exe | findstr /i "defender"', findstr is spawned as the child process of cmd.exe. As a result "Potentially Suspicious Findstr.EXE Execution" rule doesn't work.
