Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
Sigma rule (View on GitHub)
1title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
2id: 47e4bab7-c626-47dc-967b-255608c9a920
3status: experimental
4description: |
5 Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
6 This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
7references:
8 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/08/12
11modified: 2023/11/11
12tags:
13 - attack.credential_access
14 - attack.t1552.006
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_findstr_img:
20 - Image|endswith:
21 - '\find.exe'
22 - '\findstr.exe'
23 - OriginalFileName:
24 - 'FIND.EXE'
25 - 'FINDSTR.EXE'
26 selection_findstr_cli:
27 CommandLine|contains:
28 - '"Everyone"'
29 - "'Everyone'"
30 - '"BUILTIN\\"'
31 - "'BUILTIN\\'"
32 selection_special:
33 CommandLine|contains|all:
34 # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
35 # You could extend it for other groups and users
36 # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
37 # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
38 - 'icacls '
39 - 'findstr '
40 - 'Everyone'
41 condition: all of selection_findstr_* or selection_special
42falsepositives:
43 - Unknown
44level: medium
References
Related rules
- LSASS Process Reconnaissance Via Findstr.EXE
- Findstr GPP Passwords
- Suspicious SYSVOL Domain Group Policy Access
- HackTool - CrackMapExec File Indicators
- HackTool - Mimikatz Kirbi File Creation