Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Sigma rule (View on GitHub)
1title: Insensitive Subfolder Search Via Findstr.EXE
2id: 04936b66-3915-43ad-a8e5-809eadfd1141
3related:
4 - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
5 type: obsolete
6status: test
7description: |
8 Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
9references:
10 - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11 - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12 - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020-10-05
15modified: 2024-03-05
16tags:
17 - attack.defense-evasion
18 - attack.credential-access
19 - attack.command-and-control
20 - attack.t1218
21 - attack.t1564.004
22 - attack.t1552.001
23 - attack.t1105
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_findstr:
29 - CommandLine|contains: findstr
30 - Image|endswith: 'findstr.exe'
31 - OriginalFileName: 'FINDSTR.EXE'
32 selection_cli_search_subfolder:
33 CommandLine|contains|windash: ' -s '
34 selection_cli_search_insensitive:
35 CommandLine|contains|windash: ' -i '
36 condition: selection_findstr and all of selection_cli_search_*
37falsepositives:
38 - Administrative or software activity
39level: low
References
Related rules
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Remote File Download Via Findstr.EXE
- Curl Download And Execute Combination
- File Download Via Windows Defender MpCmpRun.EXE
- Import LDAP Data Interchange Format File Via Ldifde.EXE