cscli scenarios install sigmahq/proc_creation_win_findstr_sysmon_discovery_via_default_altitude1type: trigger2name: sigmahq/proc_creation_win_findstr_sysmon_discovery_via_default_altitude3description: |4 Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\find.exe' || evt.Parsed.Image endsWith '\\findstr.exe' || evt.Parsed.OriginalFileName in ['FIND.EXE', 'FINDSTR.EXE']) && evt.Parsed.CommandLine contains ' 385201')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1518.0011516 label: "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324