Recon Command Output Piped To Findstr.EXE (ccb5742c-c248-4982-8c5c-5571b9275ad3)
Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) | Attack Pattern | Recon Command Output Piped To Findstr.EXE (ccb5742c-c248-4982-8c5c-5571b9275ad3) | Sigma-Rules | 1 |