Insensitive Subfolder Search Via Findstr.EXE

 1title: Insensitive Subfolder Search Via Findstr.EXE
 2id: 04936b66-3915-43ad-a8e5-809eadfd1141
 3related:
 4    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
 5      type: obsoletes
 6status: experimental
 7description: |
 8        Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 9references:
10    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020/10/05
15modified: 2023/11/12
16tags:
17    - attack.defense_evasion
18    - attack.t1218
19    - attack.t1564.004
20    - attack.t1552.001
21    - attack.t1105
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_findstr:
27        - CommandLine|contains: findstr
28        - Image|endswith: 'findstr.exe'
29        - OriginalFileName: 'FINDSTR.EXE'
30    selection_cli_search_subfolder:
31        CommandLine|contains:
32            - ' /s '
33            - ' -s '
34    selection_cli_search_insensitive:
35        CommandLine|contains:
36            - ' /i '
37            - ' -i '
38    condition: selection_findstr and all of selection_cli_search_*
39falsepositives:
40    - Administrative or software activity
41level: low

References

• Findstr | LOLBAS

  .. /Findstr.exe Write to ADS, discover, or download files with Findstr.exe Paths: C:\Windows\System32\findstr.exe C:\Windows\SysWOW64\findstr.exe Resources: Alternate data streams Searches for the ...

  
  Read More

• Putting data in Alternate data streams and how to execute it – part 2

  

  I wrote a blogpost a while back about Alternate data streams that you can find here:  After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. …

  
  Read More

• Execute from Alternate Streams

  

  Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Remote File Download Via Findstr.EXE
• File Download Via Windows Defender MpCmpRun.EXE
• PrintBrm ZIP Creation of Extraction
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• Proxy Execution Via Wuauclt.EXE