Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions
Sigma rule (View on GitHub)
1title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
2id: 47e4bab7-c626-47dc-967b-255608c9a920
3status: experimental
4description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions
5references:
6 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/12
9modified: 2023/11/11
10tags:
11 - attack.credential_access
12 - attack.t1552.006
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_findstr_img:
18 - Image|endswith:
19 - '\find.exe'
20 - '\findstr.exe'
21 - OriginalFileName:
22 - 'FIND.EXE'
23 - 'FINDSTR.EXE'
24 selection_findstr_cli:
25 CommandLine|contains:
26 - '"Everyone"'
27 - "'Everyone'"
28 - '"BUILTIN\\"'
29 - "'BUILTIN\\'"
30 selection_special:
31 CommandLine|contains|all:
32 # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
33 # You could extend it for other groups and users
34 # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
35 # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
36 - 'icacls '
37 - 'findstr '
38 - 'Everyone'
39 condition: all of selection_findstr_* or selection_special
40falsepositives:
41 - Unknown
42level: medium
References
Related rules
- Findstr GPP Passwords
- LSASS Process Reconnaissance Via Findstr.EXE
- Suspicious SYSVOL Domain Group Policy Access
- NotPetya Ransomware Activity
- AADInternals PowerShell Cmdlets Execution - ProccessCreation