Recon Command Output Piped To Findstr.EXE

calendar Nov 15, 2023 · attack.discovery attack.t1057  ·
Share on: linkedin copy

Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.

Sigma rule (View on GitHub)

 1title: Recon Command Output Piped To Findstr.EXE
 2id: ccb5742c-c248-4982-8c5c-5571b9275ad3
 3related:
 4    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
 5      type: derived
 6status: experimental
 7description: |
 8        Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.
 9references:
10    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
11    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
12    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
13author: Nasreddine Bencherchali (Nextron Systems), frack113
14date: 2023/07/06
15modified: 2023/11/11
16tags:
17    - attack.discovery
18    - attack.t1057
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        CommandLine|contains:
25            # Note: Add additional CLI to increase and enhance coverage
26            - 'ipconfig /all | find '
27            - 'ipconfig /all | findstr '
28            - 'ipconfig | find '
29            - 'ipconfig | findstr '
30            - 'ipconfig.exe /all | find '
31            - 'ipconfig.exe /all | findstr '
32            - 'ipconfig.exe | find '
33            - 'ipconfig.exe | findstr '
34            - 'net start | find'
35            - 'net start | findstr'
36            - 'net.exe start | find'
37            - 'net.exe start | findstr'
38            - 'net1 start | find'
39            - 'net1 start | findstr'
40            - 'net1.exe start | find'
41            - 'net1.exe start | findstr'
42            - 'netstat -ano | find'
43            - 'netstat -ano | findstr'
44            - 'netstat | find'
45            - 'netstat | findstr'
46            - 'netstat.exe -ano | find'
47            - 'netstat.exe -ano | findstr'
48            - 'netstat.exe | find'
49            - 'netstat.exe | findstr'
50            - 'ping | find'
51            - 'ping | findstr'
52            - 'ping.exe | find'
53            - 'ping.exe | findstr'
54            - 'systeminfo | find '
55            - 'systeminfo | findstr '
56            - 'systeminfo.exe | find '
57            - 'systeminfo.exe | findstr '
58            - 'tasklist | find '
59            - 'tasklist | findstr '
60            - 'tasklist.exe | find '
61            - 'tasklist.exe | findstr '
62            - 'whoami /all | find '
63            - 'whoami /all | findstr '
64            - 'whoami.exe /all | find '
65            - 'whoami.exe /all | findstr '
66    condition: selection
67falsepositives:
68    - Unknown
69level: medium

References

Related rules

to-top