Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Sigma rule (View on GitHub)
1title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
2id: 37db85d1-b089-490a-a59a-c7b6f984f480
3status: test
4description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
7author: frack113
8date: 2021-12-16
9modified: 2023-11-14
10tags:
11 - attack.discovery
12 - attack.t1518.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\find.exe'
20 - '\findstr.exe'
21 - OriginalFileName:
22 - 'FIND.EXE'
23 - 'FINDSTR.EXE'
24 selection_cli:
25 CommandLine|contains: ' 385201' # Sysmon driver default altitude
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Security Software Discovery - Linux
- Security Software Discovery - MacOs
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule