Detection rules › Sigma
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution, T1564.004 Hide Artifacts: NTFS File Attributes |
| Credential Access | T1552.001 Unsecured Credentials: Credentials In Files |
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection_findstr
or:
CommandLine|contains: findstr
Image|endswith: findstr.exe
OriginalFileName: FINDSTR.EXE
Stage 2: all of selection_cli_download_1
CommandLine|contains: ' -v '
Stage 3: all of selection_cli_download_2
CommandLine|contains: ' -l '
Stage 4: all of selection_cli_download_3
CommandLine|contains: '\\\\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|