Insensitive Subfolder Search Via Findstr.EXE

 1title: Insensitive Subfolder Search Via Findstr.EXE
 2id: 04936b66-3915-43ad-a8e5-809eadfd1141
 3related:
 4    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
 5      type: obsolete
 6status: experimental
 7description: |
 8        Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 9references:
10    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020-10-05
15modified: 2024-03-05
16tags:
17    - attack.defense-evasion
18    - attack.t1218
19    - attack.t1564.004
20    - attack.t1552.001
21    - attack.t1105
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_findstr:
27        - CommandLine|contains: findstr
28        - Image|endswith: 'findstr.exe'
29        - OriginalFileName: 'FINDSTR.EXE'
30    selection_cli_search_subfolder:
31        CommandLine|contains|windash: ' -s '
32    selection_cli_search_insensitive:
33        CommandLine|contains|windash: ' -i '
34    condition: selection_findstr and all of selection_cli_search_*
35falsepositives:
36    - Administrative or software activity
37level: low

References

• Findstr on LOLBAS

  

  Findstr.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Putting data in Alternate data streams and how to execute it – part 2

  

  I wrote a blogpost a while back about Alternate data streams that you can find here:  After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. …

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Remote File Download Via Findstr.EXE
• Curl Download And Execute Combination
• File Download Via Windows Defender MpCmpRun.EXE
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• PrintBrm ZIP Creation of Extraction