Security Tools Keyword Lookup Via Findstr.EXE

calendar Nov 15, 2023 · attack.discovery attack.t1518.001  ·
Share on: linkedin copy

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Sigma rule (View on GitHub)

 1title: Security Tools Keyword Lookup Via Findstr.EXE
 2id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
 3related:
 4    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
 5      type: derived
 6status: experimental
 7description: |
 8    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
 9    This detection focuses on the keywords that the attacker might use as a filter.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
12    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
13    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
14author: Nasreddine Bencherchali (Nextron Systems), frack113
15date: 2023/10/20
16modified: 2023/11/14
17tags:
18    - attack.discovery
19    - attack.t1518.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith:
26              - '\find.exe'
27              - '\findstr.exe'
28        - OriginalFileName:
29              - 'FIND.EXE'
30              - 'FINDSTR.EXE'
31    selection_cli:
32        CommandLine|endswith:
33            # Note: Add additional keywords to increase and enhance coverage
34            # Note:
35            #   We use the double quote variation because in cases of where the command is executed through cmd for example:
36            #       cmd /c "tasklist | findstr virus"
37            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
38            - ' avira'
39            - ' avira"'
40            - ' cb'
41            - ' cb"'
42            - ' cylance'
43            - ' cylance"'
44            - ' defender'
45            - ' defender"'
46            - ' kaspersky'
47            - ' kaspersky"'
48            - ' kes'
49            - ' kes"'
50            - ' mc'
51            - ' mc"'
52            - ' sec'
53            - ' sec"'
54            - ' sentinel'
55            - ' sentinel"'
56            - ' symantec'
57            - ' symantec"'
58            - ' virus'
59            - ' virus"'
60    condition: all of selection_*
61falsepositives:
62    - Unknown
63level: medium

References

Related rules

to-top