Skip to content

Hide Navigation Hide TOC

Findstr (a62634f8-8f42-4874-9669-bea2e053dfea)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Write to ADS, discover, or download files with Findstr.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]

Cluster A Galaxy A Cluster B Galaxy B Level
Findstr (a62634f8-8f42-4874-9669-bea2e053dfea) Tidal Software Chimera (ca93af75-0ffa-4df4-b86a-92d4d50e496e) Tidal Groups 1
Findstr (a62634f8-8f42-4874-9669-bea2e053dfea) Tidal Software Earth Lusca (646e35d2-75de-4c1d-8ad3-616d3e155c5e) Tidal Groups 1