Detection rules › Sigma
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1518.001 Software Discovery: Security Software Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\find.exe'
Image|endswith: '\findstr.exe'
OriginalFileName: FIND.EXE
OriginalFileName: FINDSTR.EXE
Stage 2: all of selection_cli
or:
CommandLine|endswith: ' avira'
CommandLine|endswith: ' avira"'
CommandLine|endswith: ' cb'
CommandLine|endswith: ' cb"'
CommandLine|endswith: ' cylance'
CommandLine|endswith: ' cylance"'
CommandLine|endswith: ' defender'
CommandLine|endswith: ' defender"'
CommandLine|endswith: ' kaspersky'
CommandLine|endswith: ' kaspersky"'
CommandLine|endswith: ' kes'
CommandLine|endswith: ' kes"'
CommandLine|endswith: ' mc'
CommandLine|endswith: ' mc"'
CommandLine|endswith: ' sec'
CommandLine|endswith: ' sec"'
CommandLine|endswith: ' sentinel'
CommandLine|endswith: ' sentinel"'
CommandLine|endswith: ' symantec'
CommandLine|endswith: ' symantec"'
CommandLine|endswith: ' virus'
CommandLine|endswith: ' virus"'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | ends_with |
|
Image | ends_with |
|
OriginalFileName | eq |
|