Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004
Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1564.004
Credentials
Search for stored password in Group Policy files stored on SYSVOL.
findstr /S /I cpassword \\sysvol\policies\*.xml
Usecase: Find credentials stored in cpassword attrbute
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1552.001
Download
Searches for the string W3AllLov3LolBas, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase: Download/Copy file from webdav server
Privileges required: User
OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1105