sigmamediumHunting

Findstr Launching .lnk File

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

MITRE ATT&CK

defense-evasion

Detection Query

selection_img:
  - Image|endswith:
      - \find.exe
      - \findstr.exe
  - OriginalFileName:
      - FIND.EXE
      - FINDSTR.EXE
selection_cli:
  CommandLine|endswith:
    - .lnk
    - .lnk"
    - .lnk'
condition: all of selection_*

Author

Trent Liffick

Created

2020-05-01

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/

Tags

attack.defense-evasionattack.t1036attack.t1202attack.t1027.003

Raw Content

title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
status: test
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
references:
    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
author: Trent Liffick
date: 2020-05-01
modified: 2024-01-15
tags:
    - attack.defense-evasion
    - attack.t1036
    - attack.t1202
    - attack.t1027.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            - '.lnk'
            - '.lnk"'
            - ".lnk'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium