LoFP LoFP / administrative or software activity

Techniques

Sample rules

Insensitive Subfolder Search Via Findstr.EXE

Description

Detects execution of findstr with the “s” and “i” flags for a “subfolder” and “insensitive” search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Detection logic

condition: selection_findstr and all of selection_cli_search_*
selection_cli_search_insensitive:
  CommandLine|contains|windash: ' -i '
selection_cli_search_subfolder:
  CommandLine|contains|windash: ' -s '
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: findstr.exe
- OriginalFileName: FINDSTR.EXE