Detection rules › Sigma
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1518.001 Software Discovery: Security Software Discovery |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
# Note: Add additional keywords to increase and enhance coverage
# Note:
# We use the double quote variation because in cases of where the command is executed through cmd for example:
# cmd /c "tasklist | findstr virus"
# Logging utilties such as Sysmon would capture the end quote as part of findstr execution
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
- type: atomic-red-team
name: Security Software Discovery
technique: T1518.001
atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2
Stages and Predicates
Stage 0: condition
all of selection_*Stage 1: selection_img
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
Stage 2: selection_cli
selection_cli:
CommandLine|endswith:
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | ends_with |
|
Image | ends_with |
|
OriginalFileName | eq |
|