sigmahighHunting

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

MITRE ATT&CK

T1518.001

discovery

Detection Query

selection_img:
  - Image|endswith:
      - \find.exe
      - \findstr.exe
  - OriginalFileName:
      - FIND.EXE
      - FINDSTR.EXE
selection_cli:
  CommandLine|contains: " 385201"
condition: all of selection_*

Author

frack113

Created

2021-12-16

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service

Tags

attack.discoveryattack.t1518.001

Raw Content

title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: test
description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
author: frack113
date: 2021-12-16
modified: 2023-11-14
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains: ' 385201' # Sysmon driver default altitude
    condition: all of selection_*
falsepositives:
    - Unknown
level: high