Skip to content

Hide Navigation Hide TOC

Permission Misconfiguration Reconnaissance Via Findstr.EXE (47e4bab7-c626-47dc-967b-255608c9a920)

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Cluster A Galaxy A Cluster B Galaxy B Level
Permission Misconfiguration Reconnaissance Via Findstr.EXE (47e4bab7-c626-47dc-967b-255608c9a920) Sigma-Rules Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern 2