Permission Misconfiguration Reconnaissance Via Findstr.EXE

calendarMar 7, 2023 · attack.credential_access attack.t1552.006  ·
Share on: linkedincopy

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

Sigma rule (View on GitHub)

 1title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
 2id: 47e4bab7-c626-47dc-967b-255608c9a920
 3status: experimental
 4description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions
 5references:
 6    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/12
 9modified: 2023/03/05
10tags:
11    - attack.credential_access
12    - attack.t1552.006
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_findstr_img:
18        - Image|endswith: '\findstr.exe'
19        - OriginalFileName: 'FINDSTR.EXE'
20    selection_findstr_cli:
21        CommandLine|contains:
22            - '"Everyone"'
23            - "'Everyone'"
24            - '"BUILTIN\\"'
25            - "'BUILTIN\\'"
26    selection_special:
27        CommandLine|contains|all:
28            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
29            # You could extend it for other groups and users
30            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
31            - 'icacls '
32            - 'findstr '
33            - 'Everyone'
34    condition: all of selection_findstr_* or selection_special
35falsepositives:
36    - Unknown
37level: medium

Related rules

to-top