Add proc_creation_win_findstr_susp_parent

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml

@@ -0,0 +1,27 @@
+title: Findstr Suspicious ParentCommandLine
+id: ccb5742c-c248-4982-8c5c-5571b9275ad3
+related: 
+    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
+      type: derived
+status: experimental
+description: Detects findstring commands with a suspicious ParentCommandLine
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
+author: frack113
+date: 2023/07/06
+tags:
+    - attack.discovery
+    - attack.t1057
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_findstr_img:
+        - Image|endswith: '\findstr.exe'
+        - OriginalFileName: 'FINDSTR.EXE'
+    selection_findstr_parent:
+        ParentCommandLine|contains: 'tasklist'
+    condition: all of selection_findstr_* 
+falsepositives:
+    - Unknown
+level: medium