Insensitive Subfolder Search Via Findstr.EXE

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Sigma rule (View on GitHub)

 1title: Insensitive Subfolder Search Via Findstr.EXE
 2id: 04936b66-3915-43ad-a8e5-809eadfd1141
 3related:
 4    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
 5      type: obsolete
 6status: test
 7description: |
 8        Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 9references:
10    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020-10-05
15modified: 2024-03-05
16tags:
17    - attack.defense-evasion
18    - attack.credential-access
19    - attack.command-and-control
20    - attack.t1218
21    - attack.t1564.004
22    - attack.t1552.001
23    - attack.t1105
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_findstr:
29        - CommandLine|contains: findstr
30        - Image|endswith: 'findstr.exe'
31        - OriginalFileName: 'FINDSTR.EXE'
32    selection_cli_search_subfolder:
33        CommandLine|contains|windash: ' -s '
34    selection_cli_search_insensitive:
35        CommandLine|contains|windash: ' -i '
36    condition: selection_findstr and all of selection_cli_search_*
37falsepositives:
38    - Administrative or software activity
39level: low

References

Related rules

to-top