From f9dbb1f41387ee1e9c56d2bfa9b25fff15bacc2a Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 6 Jul 2023 19:51:47 +0200
Subject: [PATCH] Add proc_creation_win_findstr_susp_parent

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../proc_creation_win_findstr_susp_parent.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml

diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml
new file mode 100644
index 000000000..284b57fe8
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml
@@ -0,0 +1,27 @@
+title: Findstr Suspicious ParentCommandLine
+id: ccb5742c-c248-4982-8c5c-5571b9275ad3
+related: 
+    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
+      type: derived
+status: experimental
+description: Detects findstring commands with a suspicious ParentCommandLine
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
+author: frack113
+date: 2023/07/06
+tags:
+    - attack.discovery
+    - attack.t1057
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_findstr_img:
+        - Image|endswith: '\findstr.exe'
+        - OriginalFileName: 'FINDSTR.EXE'
+    selection_findstr_parent:
+        ParentCommandLine|contains: 'tasklist'
+    condition: all of selection_findstr_* 
+falsepositives:
+    - Unknown
+level: medium