Findstr Launching .lnk File

calendarMar 7, 2023 · attack.defense_evasion attack.t1036 attack.t1202 attack.t1027.003  ·
Share on: linkedincopy

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Sigma rule (View on GitHub)

 1title: Findstr Launching .lnk File
 2id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
 3status: test
 4description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
 5references:
 6    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
 7author: Trent Liffick
 8date: 2020/05/01
 9modified: 2023/03/06
10tags:
11    - attack.defense_evasion
12    - attack.t1036
13    - attack.t1202
14    - attack.t1027.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\findstr.exe'
21        - OriginalFileName: 'FINDSTR.EXE'
22    selection_cli:
23        CommandLine|endswith: '.lnk'
24    condition: all of selection_*
25falsepositives:
26    - Unknown
27level: medium

Related rules

to-top