Detection rules › Splunk
Security Software Discovery via Findstr.exe (Windows Event Log)
Threat actors may enumerate security software, configurations, and monitoring tools on a system or cloud environment to evade defenses or tailor their attack. This can involve querying registry keys, running system commands, or checking for specific processes related to security tools. This use case detects instances where findstr.exe or find.exe are executed to search for security software on the host.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1518.001 Software Discovery: Security Software Discovery |
References
- https://attack.mitre.org/techniques/T1518/001/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/findstr
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '43757.85555'
title: Security Software Discovery via Findstr.exe
description: Threat actors may enumerate security software, configurations, and monitoring
tools on a system or cloud environment to evade defenses or tailor their attack.
This can involve querying registry keys, running system commands, or checking for
specific processes related to security tools. This use case detects instances where
findstr.exe or find.exe are executed to search for security software on the host.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) ("findstr.exe" OR TERM(findstr) OR "find.exe"
OR TERM(find)) ("avira" OR "cb" OR "cylance" OR "defender" OR "kaspersky" OR "kes"
OR "mc" OR "sec" OR "sentinel" OR "symantec" OR "virus" OR "wrsa" OR "opssvc" OR
"avastui" OR "avgui" OR "bdservicehost" OR "nsWscSvc" OR "ekrn" OR "sophoshealth"
OR "falcon") | where match(process_path, "(?i)\x5cWindows\x5cSystem32\x5cfindstr\.exe|\x5cWindows\x5cSysWOW64\x5cfind\.exe")
and match(process, "(?i)\w+(\.exe)?\x22?\s+(avira|cb|cylance|defender|kaspersky|kes|mc|sec|sentinel|symantec|virus|wrsa|opssvc|avastui|avgui|bdservicehost|nsWscSvc|ekrn|sophoshealth|falcon)\x22?$")
| table _time, host, user, process, process_*, parent_* | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- discovery:software discovery:security software discovery
technique_id:
- T1518.001
data_category:
- Process command-line parameters
- Windows event logs
references:
- https://attack.mitre.org/techniques/T1518/001/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/findstr
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) ("findstr.exe" OR TERM(findstr) OR "find.exe" OR TERM(find)) ("avira" OR "cb" OR "cylance" OR "defender" OR "kaspersky" OR "kes" OR "mc" OR "sec" OR "sentinel" OR "symantec" OR "virus" OR "wrsa" OR "opssvc" OR "avastui" OR "avgui" OR "bdservicehost" OR "nsWscSvc" OR "ekrn" OR "sophoshealth" OR "falcon")
Stage 2: where
| where match(process_path, "(?i)\x5cWindows\x5cSystem32\x5cfindstr\.exe|\x5cWindows\x5cSysWOW64\x5cfind\.exe") and match(process, "(?i)\w+(\.exe)?\x22?\s+(avira|cb|cylance|defender|kaspersky|kes|mc|sec|sentinel|symantec|virus|wrsa|opssvc|avastui|avgui|bdservicehost|nsWscSvc|ekrn|sophoshealth|falcon)\x22?$")
Stage 3: table
| table _time, host, user, process, process_*, parent_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
process | match |
|
process_path | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "findstr.exe" |
| 1 | TERM |
| 1 | findstr |
| 1 | "find.exe" |
| 1 | TERM |
| 1 | find |
| 1 | "avira" |
| 1 | "cb" |
| 1 | "cylance" |
| 1 | "defender" |
| 1 | "kaspersky" |
| 1 | "kes" |
| 1 | "mc" |
| 1 | "sec" |
| 1 | "sentinel" |
| 1 | "symantec" |
| 1 | "virus" |
| 1 | "wrsa" |
| 1 | "opssvc" |
| 1 | "avastui" |
| 1 | "avgui" |
| 1 | "bdservicehost" |
| 1 | "nsWscSvc" |
| 1 | "ekrn" |
| 1 | "sophoshealth" |
| 1 | "falcon" |