Remote File Download Via Findstr.EXE

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Sigma rule (View on GitHub)

 1title: Remote File Download Via Findstr.EXE
 2id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
 3related:
 4    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
 5      type: obsolete
 6status: test
 7description: |
 8        Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
 9references:
10    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020-10-05
15modified: 2024-03-05
16tags:
17    - attack.defense-evasion
18    - attack.credential-access
19    - attack.command-and-control
20    - attack.t1218
21    - attack.t1564.004
22    - attack.t1552.001
23    - attack.t1105
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_findstr:
29        - CommandLine|contains: findstr
30        - Image|endswith: 'findstr.exe'
31        - OriginalFileName: 'FINDSTR.EXE'
32    selection_cli_download_1:
33        CommandLine|contains|windash: ' -v '
34    selection_cli_download_2:
35        CommandLine|contains|windash: ' -l '
36    selection_cli_download_3:
37        CommandLine|contains: '\\\\'
38    condition: selection_findstr and all of selection_cli_download_*
39falsepositives:
40    - Unknown
41level: medium

References

Related rules

to-top