Techniques
Sample rules
Insensitive Subfolder Search Via Findstr.EXE
- source: sigma
- technicques:
- t1105
- t1218
- t1552
- t1552.001
- t1564
- t1564.004
Description
Detects execution of findstr with the “s” and “i” flags for a “subfolder” and “insensitive” search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Detection logic
condition: selection_findstr and all of selection_cli_search_*
selection_cli_search_insensitive:
CommandLine|contains|windash: ' -i '
selection_cli_search_subfolder:
CommandLine|contains|windash: ' -s '
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: findstr.exe
- OriginalFileName: FINDSTR.EXE