I’ve got an issue with the

processes

table returning incorrect data on

3.4.0.

with the

conhost.exe_incorrect_path

query in the windows attack pack. The query

SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';

returned

conhost.exe

for the

name

field, but it returned

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

for the

path

value with a

cmdline

value for the

chrome.exe

entry listed in

path

.

It looks like the query and results are ok. The query is filtering based on “name” but you’re talking about values seen on “cmdline”, maybe I’m confused?

yes the query is correct, but the underlying process event seems to be confused since it lists a path and cmdline for a chrome process and not conhost