← Back to Explore
sigmamediumHunting
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Detection Query
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
selection_cli:
CommandLine|endswith:
- " avira"
- ' avira"'
- " cb"
- ' cb"'
- " cylance"
- ' cylance"'
- " defender"
- ' defender"'
- " kaspersky"
- ' kaspersky"'
- " kes"
- ' kes"'
- " mc"
- ' mc"'
- " sec"
- ' sec"'
- " sentinel"
- ' sentinel"'
- " symantec"
- ' symantec"'
- " virus"
- ' virus"'
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2023-10-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
Tags
attack.discoveryattack.t1518.001
Raw Content
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
# Note: Add additional keywords to increase and enhance coverage
# Note:
# We use the double quote variation because in cases of where the command is executed through cmd for example:
# cmd /c "tasklist | findstr virus"
# Logging utilties such as Sysmon would capture the end quote as part of findstr execution
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
- type: atomic-red-team
name: Security Software Discovery
technique: T1518.001
atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2