Skip to content

Hide Navigation Hide TOC

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480)

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Cluster A Galaxy A Cluster B Galaxy B Level
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE (37db85d1-b089-490a-a59a-c7b6f984f480) Sigma-Rules 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2