Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Detects usage of system utilities (only grep for now) to discover security software discovery