Permission Misconfiguration Reconnaissance Via Findstr.EXE

title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
    This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains:
            - '"Everyone"'
            - "'Everyone'"
            - '"BUILTIN\\"'
            - "'BUILTIN\\'"
    selection_special:
        CommandLine|contains|all:
            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
            # You could extend it for other groups and users
            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
            - 'icacls '
            - 'findstr '
            - 'Everyone'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml