← Back to Explore
sigmamediumHunting
Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Detection Query
selection:
CommandLine|contains:
- ipconfig*|*find
- net*|*find
- netstat*|*find
- ping*|*find
- systeminfo*|*find
- tasklist*|*find
- whoami*|*find
filter_optional_xampp:
CommandLine|contains|all:
- cmd.exe /c TASKLIST /V |
- FIND /I
- \xampp\
- \catalina_start.bat
condition: selection and not 1 of filter_optional_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2023-07-06
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Tags
attack.discoveryattack.t1057
Raw Content
title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
- attack.discovery
- attack.t1057
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Note: Add additional CLI to increase and enhance coverage
# Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
- 'ipconfig*|*find'
- 'net*|*find'
- 'netstat*|*find'
- 'ping*|*find'
- 'systeminfo*|*find'
- 'tasklist*|*find'
- 'whoami*|*find'
filter_optional_xampp:
CommandLine|contains|all:
- 'cmd.exe /c TASKLIST /V |'
- 'FIND /I'
- '\xampp\'
- '\catalina_start.bat'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml