Skip to content

Hide Navigation Hide TOC

Permission Misconfiguration Reconnaissance Via Findstr.EXE (47e4bab7-c626-47dc-967b-255608c9a920)

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions

Cluster A Galaxy A Cluster B Galaxy B Level
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Permission Misconfiguration Reconnaissance Via Findstr.EXE (47e4bab7-c626-47dc-967b-255608c9a920) Sigma-Rules 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 2