← Library
sigmaDRL-1.1from SigmaHQ/sigma

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Quality
80
FP risk
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml
title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
    This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains:
            - '"Everyone"'
            - "'Everyone'"
            - '"BUILTIN\\"'
            - "'BUILTIN\\'"
    selection_special:
        CommandLine|contains|all:
            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
            # You could extend it for other groups and users
            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
            - 'icacls '
            - 'findstr '
            - 'Everyone'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml