Recon Command Output Piped To Findstr.EXE

 1title: Recon Command Output Piped To Findstr.EXE
 2id: ccb5742c-c248-4982-8c5c-5571b9275ad3
 3related:
 4    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
 9    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
12    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
13    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
14author: Nasreddine Bencherchali (Nextron Systems), frack113
15date: 2023-07-06
16modified: 2024-06-27
17tags:
18    - attack.discovery
19    - attack.t1057
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        CommandLine|contains:
26            # Note: Add additional CLI to increase and enhance coverage
27            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
28            - 'ipconfig*|*find'
29            - 'net*|*find'
30            - 'netstat*|*find'
31            - 'ping*|*find'
32            - 'systeminfo*|*find'
33            - 'tasklist*|*find'
34            - 'whoami*|*find'
35    condition: selection
36falsepositives:
37    - Unknown
38level: medium

References

• atomic-red-team/atomics/T1057/T1057.md at 02cb591f75064ffe1e0df9ac3ed5972a2e491c97 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• %PDF-1.6 %âãÏÓ 244 0 obj stream hÞ¼WkSÛFý+û1™ŒµïW'ã0�BB1yL>yk4È’+ ýõ½weìÄNq;Íz_÷Þ=»>÷¬$8#ŒΉÂJ+¡‚Â<ÔŠH¥ ÖDYµ!ç¸%6Î;â�†Ú®F¸Õ0#8zCD!ˆ�GÀÏzø”iœÒ][h"µÀ o áˆ4\…'ÒBœ·oéÁì:L&a2Ê‹Ð@...

  
  Read More

• Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners

  

  Recently, we observed the Spring4Shell vulnerability — a remote code execution bug, assigned as CVE-2022-22965 — being actively exploited by malicious actors to deploy cryptocurrency miners.

  
  Read More

Related rules

• Cisco Discovery
• HackTool - PCHunter Execution
• Process Discovery
• Suspicious Process Discovery With Get-Process
• List remote processes using tasklist