Remote File Download Via Findstr.EXE

    Wednesday, May 21, 2025 In: Threat Research Print

    Date: 05/21/2025

    Severity: Medium

    Summary

    Detects the use of the "findstr" command with specific flags targeting a remote shared path. This particular combination of command-line options can enable "findstr" to retrieve the contents of a file from the remote share, as outlined in the LOLBAS project documentation.

    Indicators of Compromise (IOC) List 

    Image : 

    findstr.exe

    CommandLine : 

    Findstr

    ' -v '

    ' -l '

    '\\\\'

    OriginalFileName : 

    FINDSTR.EXE

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query :

    (resourcename = "Windows Security"  AND eventtype = "4688")  AND (processname like "findstr.exe"  AND commandline like "findstr") and commandline like " -v " and commandline like " -l" and commandline like "\\\\"

    Detection Query :

    (technologygroup = "EDR")  AND (processname like "findstr.exe"  AND commandline like "findstr") and commandline like " -v " and commandline like " -l" and commandline like "\\\\"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml


    Tags

    Findstr.exeLOLBASSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.