EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Insensitive Subfolder Search Via Findstr.EXE

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

MITRE ATT&CK

T1218T1564.004T1552.001T1105
defense-evasioncredential-accesscommand-and-control

Detection Query

selection_findstr:
  - CommandLine|contains: findstr
  - Image|endswith: findstr.exe
  - OriginalFileName: FINDSTR.EXE
selection_cli_search_subfolder:
  CommandLine|contains|windash: " -s "
selection_cli_search_insensitive:
  CommandLine|contains|windash: " -i "
condition: selection_findstr and all of selection_cli_search_*

Author

Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)

Created

2020-10-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.credential-accessattack.command-and-controlattack.t1218attack.t1564.004attack.t1552.001attack.t1105
Raw Content
title: Insensitive Subfolder Search Via Findstr.EXE
id: 04936b66-3915-43ad-a8e5-809eadfd1141
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.defense-evasion
    - attack.credential-access
    - attack.command-and-control
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_search_subfolder:
        CommandLine|contains|windash: ' -s '
    selection_cli_search_insensitive:
        CommandLine|contains|windash: ' -i '
    condition: selection_findstr and all of selection_cli_search_*
falsepositives:
    - Administrative or software activity
level: low