Skip to content

Hide Navigation Hide TOC

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480)

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Cluster A Galaxy A Cluster B Galaxy B Level
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480) Sigma-Rules 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2