Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Sigma rule (View on GitHub)
1title: Recon Command Output Piped To Findstr.EXE
2id: ccb5742c-c248-4982-8c5c-5571b9275ad3
3related:
4 - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
5 type: derived
6status: experimental
7description: |
8 Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
9 Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
10references:
11 - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
12 - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
13 - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
14author: Nasreddine Bencherchali (Nextron Systems), frack113
15date: 2023-07-06
16modified: 2024-06-27
17tags:
18 - attack.discovery
19 - attack.t1057
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 CommandLine|contains:
26 # Note: Add additional CLI to increase and enhance coverage
27 # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
28 - 'ipconfig*|*find'
29 - 'net*|*find'
30 - 'netstat*|*find'
31 - 'ping*|*find'
32 - 'systeminfo*|*find'
33 - 'tasklist*|*find'
34 - 'whoami*|*find'
35 condition: selection
36falsepositives:
37 - Unknown
38level: medium
References
Related rules
- Cisco Discovery
- Suspicious Process Discovery With Get-Process
- List remote processes using tasklist
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript