.. /Findstr.exe
Star

Alternate data streams
Credentials
Download

Write to ADS, discover, or download files with Findstr.exe

Paths:

Resources:

Acknowledgements:

Detections:

Alternate data streams

  1. Searches for the string W3AllLov3LolBas, since it does not exist (/V) the specified .exe file is written to an Alternate Data Stream (ADS) of the specified target file.

    findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exe
    Use case
    Add a file to an alternate data stream to hide from defensive counter measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004

  2. Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.

    findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exe
    Use case
    Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004

Credentials

  1. Search for stored password in Group Policy files stored on SYSVOL.

    findstr /S /I cpassword \\sysvol\policies\*.xml
    Use case
    Find credentials stored in cpassword attrbute
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1552.001

Download

  1. Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.

    findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe}
    Use case
    Download/Copy file from webdav server
    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1105