Findstr Launching .lnk File

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.t1202 attack.t1027.003 ·

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Sigma rule (View on GitHub)

 1title: Findstr Launching .lnk File
 2id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
 3status: test
 4description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
 5references:
 6    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
 7author: Trent Liffick
 8date: 2020-05-01
 9modified: 2024-01-15
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13    - attack.t1202
14    - attack.t1027.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith:
21              - '\find.exe'
22              - '\findstr.exe'
23        - OriginalFileName:
24              - 'FIND.EXE'
25              - 'FINDSTR.EXE'
26    selection_cli:
27        CommandLine|endswith:
28            - '.lnk'
29            - '.lnk"'
30            - ".lnk'"
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

HHS.gov Open Redirect Used by Coronavirus Phishing to Spread Malware

An HHS.gov open redirect is currently being used by attackers to push malware payloads with the help of coronavirus-themed phishing emails onto unsuspecting victims' systems.

Read More

Findstr Launching .lnk File

Sigma rule (View on GitHub)

References

HHS.gov Open Redirect Used by Coronavirus Phishing to Spread Malware

Related rules