title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains|all:
- 'cpassword'
- '\sysvol\'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
- type: atomic-red-team
name: GPP Passwords (findstr)
technique: T1552.006
atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains: 'lsass'
selection_special:
CommandLine|contains|windash:
- ' /i "lsass'
- ' /i lsass.exe'
- 'findstr "lsass'
- 'findstr lsass'
- 'findstr.exe "lsass'
- 'findstr.exe lsass'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
id: d51694fe-484a-46ac-92d6-969e76d60d10
related:
- id: 8344c19f-a023-45ff-ad63-a01c5396aea0
type: derived
status: test
description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
references:
- https://github.com/vletoux/pingcastle
author: frack113
date: 2023-12-21
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|startswith: '\\'
FileName|contains|all:
- '\sysvol\'
- '\Policies\'
FileName|endswith:
- 'audit.csv'
- 'Files.xml'
- 'GptTmpl.inf'
- 'groups.xml'
- 'Registry.pol'
- 'Registry.xml'
- 'scheduledtasks.xml'
- 'scripts.ini'
- 'services.xml'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains:
- '"Everyone"'
- "'Everyone'"
- '"BUILTIN\\"'
- "'BUILTIN\\'"
selection_special:
CommandLine|contains|all:
# Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
# You could extend it for other groups and users
# Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
# Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
- 'icacls '
- 'findstr '
- 'Everyone'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml
title: Suspicious SYSVOL Domain Group Policy Access
id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
status: test
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018-04-09
modified: 2022-01-07
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\SYSVOL\'
- '\policies\'
condition: selection
falsepositives:
- Administrative activity
level: medium