detection.wiki

Detection rules › Sigma

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1552.006 Unsecured Credentials: Group Policy Preferences

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_findstr_img

or:
Image|endswith: '\find.exe'
Image|endswith: '\findstr.exe'
OriginalFileName: FIND.EXE
OriginalFileName: FINDSTR.EXE

Stage 2: all of selection_findstr_cli

or:
CommandLine|contains: 'BUILTIN\'
CommandLine|contains: 'Everyone'
CommandLine|contains: "BUILTIN\\"
CommandLine|contains: "Everyone"

Stage 3: selection_special

CommandLine|contains: Everyone
CommandLine|contains: 'findstr '
CommandLine|contains: 'icacls '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • "BUILTIN\\"
  • "Everyone"
  • 'BUILTIN\'
  • 'Everyone'
  • Everyone
  • findstr
  • icacls
Imageends_with
  • \find.exe corpus 8 (sigma 8)
  • \findstr.exe corpus 11 (sigma 11)
OriginalFileNameeq
  • FIND.EXE corpus 6 (sigma 6)
  • FINDSTR.EXE corpus 10 (sigma 10)