Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Recon Command Output Piped To Findstr.EXE

Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), François HubautCreated Thu Jul 06Updated Wed Oct 08ccb5742c-c248-4982-8c5c-5571b9275ad3windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
            - 'ipconfig*|*find'
            - 'net*|*find'
            - 'netstat*|*find'
            - 'ping*|*find'
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
    filter_optional_xampp:
        CommandLine|contains|all:
            - 'cmd.exe /c TASKLIST /V |'
            - 'FIND /I'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
hhs.gov
3
Resolving title…
trendmicro.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
ccb5742c-c248-4982-8c5c-5571b9275ad3
Status
test
Level
medium
Type
Detection
Created
Thu Jul 06
Modified
Wed Oct 08
Author
Nasreddine Bencherchali (Nextron Systems), François Hubaut
Path
rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml
Raw Tags
attack.discoveryattack.t1057
View on GitHub