LSASS Process Reconnaissance Via Findstr.EXE

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552.006` Unsecured Credentials: Group Policy Preferences

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_findstr_img`

or:
Image|endswith: '\find.exe'
Image|endswith: '\findstr.exe'
OriginalFileName: FIND.EXE
OriginalFileName: FINDSTR.EXE

Stage 2: `all of selection_findstr_cli`

CommandLine|contains: lsass

Stage 3: `selection_special`

or:
CommandLine|contains: ' /i "lsass'
CommandLine|contains: ' /i lsass.exe'
CommandLine|contains: 'findstr "lsass'
CommandLine|contains: 'findstr lsass'
CommandLine|contains: 'findstr.exe "lsass'
CommandLine|contains: 'findstr.exe lsass'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/i "lsass` `/i lsass.exe` `findstr "lsass` `findstr lsass` `findstr.exe "lsass` `findstr.exe lsass` `lsass` corpus 4 (sigma 4)
`Image`	ends_with	`\find.exe` corpus 8 (sigma 8) `\findstr.exe` corpus 11 (sigma 11)
`OriginalFileName`	eq	`FIND.EXE` corpus 6 (sigma 6) `FINDSTR.EXE` corpus 10 (sigma 10)