Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Sigma rule (View on GitHub)
1title: Findstr Launching .lnk File
2id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
3status: test
4description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
5references:
6 - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
7author: Trent Liffick
8date: 2020/05/01
9modified: 2024/01/15
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13 - attack.t1202
14 - attack.t1027.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith:
21 - '\find.exe'
22 - '\findstr.exe'
23 - OriginalFileName:
24 - 'FIND.EXE'
25 - 'FINDSTR.EXE'
26 selection_cli:
27 CommandLine|endswith:
28 - '.lnk'
29 - '.lnk"'
30 - ".lnk'"
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
An HHS.gov open redirect is currently being used by attackers to push malware payloads with the help of coronavirus-themed phishing emails onto unsuspecting victims' systems.
Read More
Related rules
- Renamed ZOHO Dctask64 Execution
- Renamed PingCastle Binary Execution
- System Control Panel Item Loaded From Uncommon Location
- Forfiles.EXE Child Process Masquerading
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE