Rule UUID
0e4164da-94bc-450d-a7be-a4b176179f1f
Example EventLog
EventCode=4688
...
Message=A new process has been created.
...
Creator Subject:
...
Target Subject:
...
Process Information:
New Process ID: 0xBEEF
New Process Name: C:\Windows\System32\netsh.exe
Token Elevation Type: %%1234
Mandatory Label: S-1-16-12288
Creator Process ID: 0xDEAD
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: C:\Windows\System32\netsh.exe advfirewall firewall show rule name=all verbose
Description
I discovered a false negative where suspicious traffic is able to avoid detection. The CLI parameters are too specific and don't allow for ".exe" to be at the end of the string.
Rule UUID
0e4164da-94bc-450d-a7be-a4b176179f1f
Example EventLog
EventCode=4688
...
Message=A new process has been created.
...
Creator Subject:
...
Target Subject:
...
Process Information:
New Process ID: 0xBEEF
New Process Name: C:\Windows\System32\netsh.exe
Token Elevation Type: %%1234
Mandatory Label: S-1-16-12288
Creator Process ID: 0xDEAD
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: C:\Windows\System32\netsh.exe advfirewall firewall show rule name=all verbose
Description
I discovered a false negative where suspicious traffic is able to avoid detection. The CLI parameters are too specific and don't allow for ".exe" to be at the end of the string.