Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Sigma rule (View on GitHub)
1title: Remote File Download Via Findstr.EXE
2id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
3related:
4 - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
5 type: obsoletes
6status: experimental
7description: |
8 Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
9references:
10 - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11 - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020/10/05
15modified: 2023/11/12
16tags:
17 - attack.defense_evasion
18 - attack.t1218
19 - attack.t1564.004
20 - attack.t1552.001
21 - attack.t1105
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_findstr:
27 - CommandLine|contains: findstr
28 - Image|endswith: 'findstr.exe'
29 - OriginalFileName: 'FINDSTR.EXE'
30 selection_cli_download_1:
31 CommandLine|contains:
32 - ' /v '
33 - ' -v '
34 selection_cli_download_2:
35 CommandLine|contains:
36 - ' /l '
37 - ' -l '
38 selection_cli_download_3:
39 CommandLine|contains: '\\\\'
40 condition: selection_findstr and all of selection_cli_download_*
41falsepositives:
42 - Unknown
43level: medium
References
-
.. /Findstr.exe Write to ADS, discover, or download files with Findstr.exe Paths: C:\Windows\System32\findstr.exe C:\Windows\SysWOW64\findstr.exe Resources: Alternate data streams Searches for the ...
Read More -
I wrote a blogpost a while back about Alternate data streams that you can find here: After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. …
Read More -
Related rules
- Insensitive Subfolder Search Via Findstr.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- PrintBrm ZIP Creation of Extraction
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Proxy Execution Via Wuauclt.EXE