Skip to content

Hide Navigation Hide TOC

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480)

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Cluster A Galaxy A Cluster B Galaxy B Level
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480) Sigma-Rules Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2