Permission Misconfiguration Reconnaissance Via Findstr.EXE

 1title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
 2id: 47e4bab7-c626-47dc-967b-255608c9a920
 3status: experimental
 4description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions
 5references:
 6    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/12
 9modified: 2023/11/11
10tags:
11    - attack.credential_access
12    - attack.t1552.006
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_findstr_img:
18        - Image|endswith:
19              - '\find.exe'
20              - '\findstr.exe'
21        - OriginalFileName:
22              - 'FIND.EXE'
23              - 'FINDSTR.EXE'
24    selection_findstr_cli:
25        CommandLine|contains:
26            - '"Everyone"'
27            - "'Everyone'"
28            - '"BUILTIN\\"'
29            - "'BUILTIN\\'"
30    selection_special:
31        CommandLine|contains|all:
32            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
33            # You could extend it for other groups and users
34            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
35            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
36            - 'icacls '
37            - 'findstr '
38            - 'Everyone'
39    condition: all of selection_findstr_* or selection_special
40falsepositives:
41    - Unknown
42level: medium