Recon Command Output Piped To Findstr.EXE

Rule Info

Name
Recon Command Output Piped To Findstr.EXE
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Description
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
Date
2023-07-06 00:00:00
Modified
2024-06-27 00:00:00
Id
ccb5742c-c248-4982-8c5c-5571b9275ad3
Tags
attack.discovery attack.t1057
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ccb5742c-c248-4982-8c5c-5571b9275ad3

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
2024-07-17
313578eea
phantinuss
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15
c125ae7e7
phantinuss
Revert "Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing"
2023-11-15
8dbf7b909
phantinuss
Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing
2023-11-15
dddd7cd7f
phantinuss
Revert "Fix Further FPs Found In Testing (#4564)"
2023-11-15
296767588
Nasreddine Bencherchali
Fix Further FPs Found In Testing (#4564)
2023-11-15
b77a3fa9c
frack113
Merge PR #4496 from @frack113 - Update & Add Findstr.EXE Rules
2023-10-28
9f1d77290
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022