title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
status: experimental
references:
    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.t1202
    - attack.t1027.003
author: Trent Liffick
date: 2020/05/01
modified: 2020/08/30
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\findstr.exe'
        CommandLine|endswith: '.lnk'
    condition: selection
fields:
    - Image
    - CommandLine
    - ParentCommandLine
falsepositives:
    - unknown
level: medium