Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Security Tools Keyword Lookup Via Findstr.EXE

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), François HubautCreated Fri Oct 20Updated Tue Nov 144fe074b4-b833-4081-8f24-7dcfeca72b42windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            # Note: Add additional keywords to increase and enhance coverage
            # Note:
            #   We use the double quote variation because in cases of where the command is executed through cmd for example:
            #       cmd /c "tasklist | findstr virus"
            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
            - ' avira'
            - ' avira"'
            - ' cb'
            - ' cb"'
            - ' cylance'
            - ' cylance"'
            - ' defender'
            - ' defender"'
            - ' kaspersky'
            - ' kaspersky"'
            - ' kes'
            - ' kes"'
            - ' mc'
            - ' mc"'
            - ' sec'
            - ' sec"'
            - ' sentinel'
            - ' sentinel"'
            - ' symantec'
            - ' symantec"'
            - ' virus'
            - ' virus"'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
microsoft.com
3
Resolving title…
hhs.gov
Testing & Validation

Simulations

atomic-red-teamT1518.001
View on ART

Security Software Discovery

GUID: f92a380f-ced9-491f-b338-95a991418ce2

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
4fe074b4-b833-4081-8f24-7dcfeca72b42
Status
test
Level
medium
Type
Detection
Created
Fri Oct 20
Modified
Tue Nov 14
Author
Nasreddine Bencherchali (Nextron Systems), François Hubaut
Path
rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml
Raw Tags
attack.discoveryattack.t1518.001
View on GitHub