Insensitive Subfolder Search Via Findstr.EXE

May 20, 2025 · attack.defense-evasion attack.credential-access attack.command-and-control attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105 ·

Share on:

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Sigma rule (View on GitHub)

 1title: Insensitive Subfolder Search Via Findstr.EXE
 2id: 04936b66-3915-43ad-a8e5-809eadfd1141
 3related:
 4    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
 5      type: obsolete
 6status: test
 7description: |
 8        Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 9references:
10    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
11    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
12    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
13author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
14date: 2020-10-05
15modified: 2024-03-05
16tags:
17    - attack.defense-evasion
18    - attack.credential-access
19    - attack.command-and-control
20    - attack.t1218
21    - attack.t1564.004
22    - attack.t1552.001
23    - attack.t1105
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection_findstr:
29        - CommandLine|contains: findstr
30        - Image|endswith: 'findstr.exe'
31        - OriginalFileName: 'FINDSTR.EXE'
32    selection_cli_search_subfolder:
33        CommandLine|contains|windash: ' -s '
34    selection_cli_search_insensitive:
35        CommandLine|contains|windash: ' -i '
36    condition: selection_findstr and all of selection_cli_search_*
37falsepositives:
38    - Administrative or software activity
39level: low

References

Findstr on LOLBAS

Findstr.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

Read More
Putting data in Alternate data streams and how to execute it – part 2

I wrote a blogpost a while back about Alternate data streams that you can find here: After I wrote that post I have made some new discoveries that I wanted to share around Alternate data streams. …

Read More
Execute from Alternate Streams

Execute from Alternate Streams. GitHub Gist: instantly share code, notes, and snippets.

Read More

Insensitive Subfolder Search Via Findstr.EXE

Sigma rule (View on GitHub)

References

Findstr on LOLBAS

Putting data in Alternate data streams and how to execute it &#8211; part&nbsp;2

Execute from Alternate Streams

Related rules

Putting data in Alternate data streams and how to execute it – part 2