Detect AV‑enumeration via findstr.exe (Quick Heal, Webroot, ESET, Bitdefender, Avast, AVG, Norton, Sophos)

[Securityinbits]

Background

Recent Lumma Stealer batches execute two distinct findstr.exe commands to probe for the presence of popular antivirus processes

findstr  /I "opssvc wrsa" 

findstr  "SophosHealth nsWscSvc ekrn bdservicehost AvastUI AVGUI  & if not errorlevel 1 Set MGcrwdxxXERbsi=AutoIt3.exe & Set ggyDjEMbtbUIfTjvhcVs=.a3x & Set oXQcmIHFI=300

Executed the latest Lumma Stealer in Any Run: https://app.any.run/tasks/5205dadc-377f-47ca-9aae-124fc13a80d9

Some other variants observed:

• TrendMicro

findstr /I "opssvc wrsa"
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

• UNIT42

tasklist | findstr /I "opssvc wrsa"
tasklist | findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn"

Description of the Idea of the Rule

No official Sigma rule currently detects these specific process‑name strings when used with findstr.exe.

Proposed rule scope:
We can modify Security Tools Keyword Lookup Via Findstr.EXE and add wrsa

OR

We can add another line CommandLine|startswith: then add bdservicehost, AvastUI, SophosHealth etc.

• Logsource: process_creation / windows
• Optional parent filter cmd.exe

Public References

• https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
• https://www.trendmicro.com/en_hk/research/25/c/ai-assisted-fake-github-repositories.html

[github-actions]

Welcome @Securityinbits 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃