Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE | Standard | Windows | Discovery: Software Discovery - Security Software Discovery (T1518.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
findstr.exe is a native Windows command-line utility used to search for specific strings in files or command output. Attackers commonly abuse findstr.exe to locate sensitive information within memory dumps or running processes, especially targeting the Local Security Authority Subsystem Service (LSASS) process, which stores user credentials. This rule detects suspicious invocations of findstr.exe that attempt to enumerate or extract keywords associated with LSASS,
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Reconnaissance with findstr.exe → Identification of LSASS process → Impact
Impact
Impact
- Credential theft
- Privilege escalation
- Defense evasion
- Data exfiltration
- Facilitation of lateral movement
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\find.exe,\findstr.exe" OR ORIGINALFILENAME = "FIND.EXE,FINDSTR.EXE") AND COMMANDLINE contains " 385201" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Discovery: Software Discovery - Security Software Discovery (T1518.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of findstr.exe processes actively searching for LSASS or related terms, which commonly precede credential dumping attacks. This visibility enables rapid review of process usage, analysis of command-line arguments, and prompt identification of malicious reconnaissance targeting LSASS
Author
frack113
Future actions
Known False Positives
Legitimate administrators or automated maintenance scripts may occasionally use findstr.exe to query process lists or troubleshoot system issues, including referencing "LSASS." Manual review of command lines and user context is advised to distinguish benign from adversarial activity.
Next Steps
Next steps:
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Refine detection logic as needed, allow-list legitimate administrative usage, and continue to monitor for repeat behavior.
Mitigation
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
