Permission Misconfiguration Reconnaissance Via Findstr.EXE

 1title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
 2id: 47e4bab7-c626-47dc-967b-255608c9a920
 3status: experimental
 4description: |
 5    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
 6    This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.    
 7references:
 8    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/08/12
11modified: 2023/11/11
12tags:
13    - attack.credential_access
14    - attack.t1552.006
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_findstr_img:
20        - Image|endswith:
21              - '\find.exe'
22              - '\findstr.exe'
23        - OriginalFileName:
24              - 'FIND.EXE'
25              - 'FINDSTR.EXE'
26    selection_findstr_cli:
27        CommandLine|contains:
28            - '"Everyone"'
29            - "'Everyone'"
30            - '"BUILTIN\\"'
31            - "'BUILTIN\\'"
32    selection_special:
33        CommandLine|contains|all:
34            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
35            # You could extend it for other groups and users
36            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
37            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
38            - 'icacls '
39            - 'findstr '
40            - 'Everyone'
41    condition: all of selection_findstr_* or selection_special
42falsepositives:
43    - Unknown
44level: medium