Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process