← Back to Explore
sigmahighHunting
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Detection Query
selection_findstr_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
selection_findstr_cli:
CommandLine|contains: lsass
selection_special:
CommandLine|contains|windash:
- ' /i "lsass'
- " /i lsass.exe"
- findstr "lsass
- findstr lsass
- findstr.exe "lsass
- findstr.exe lsass
condition: all of selection_findstr_* or selection_special
Author
Florian Roth (Nextron Systems)
Created
2022-08-12
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.t1552.006
Raw Content
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains: 'lsass'
selection_special:
CommandLine|contains|windash:
- ' /i "lsass'
- ' /i lsass.exe'
- 'findstr "lsass'
- 'findstr lsass'
- 'findstr.exe "lsass'
- 'findstr.exe lsass'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml