administrative or software activity

t1105
t1218
t1552
t1552.001
t1564
t1564.004
windows
sigma

Techniques

t1105
t1218
t1552
t1552.001
t1564
t1564.004

Sample rules

Insensitive Subfolder Search Via Findstr.EXE

source: sigma
technicques:
- t1105
- t1218
- t1552
- t1552.001
- t1564
- t1564.004

Description

Detects execution of findstr with the “s” and “i” flags for a “subfolder” and “insensitive” search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Detection logic

condition: selection_findstr and all of selection_cli_search_*
selection_cli_search_insensitive:
  CommandLine|contains|windash: ' -i '
selection_cli_search_subfolder:
  CommandLine|contains|windash: ' -s '
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: findstr.exe
- OriginalFileName: FINDSTR.EXE