FN on Potentially Suspicious Findstr.EXE Execution #4495
Labels
Comments
ABOg4Ti
added
the
False-Positive
|
Welcome @Tuutaans 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
|
Hey @Tuutaans Thanks for reporting this. This indeed seems like an oversight. Will provide a fix as soon as possible :) |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule UUID
ccb5742c-c248-4982-8c5c-5571b9275ad3
Example EventLog
OriginalFileName: FINDSTR.EXE
CommandLine: findstr /i "defender"
LogonGuid: {8b59c806-0f5b-6532-93bb-1c0000000000}
LogonId: 0x1CBB93
TerminalSessionId: 2
IntegrityLevel: Medium
Hashes: SHA1=FDC776E1297D6E6FB31F8EB0E85771D886A18DC2,MD5=804A6AE28E88689E0CF1946A6CB3FEE5,SHA256=B29BE6DA54121F5D9350C545ECECCE26F30A7F209CE0D9AAEA8E00C27DDA27A2,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F
ParentProcessGuid: {8b59c806-0f86-6532-f800-00000000d400}
ParentProcessId: 2944
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
Description
When executed 'tasklist.exe | findstr /i "defender"', findstr is spawned as the child process of cmd.exe. As a result "Potentially Suspicious Findstr.EXE Execution" rule doesn't work.
The text was updated successfully, but these errors were encountered: