EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Remote File Download Via Findstr.EXE

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

MITRE ATT&CK

T1218T1564.004T1552.001T1105
defense-evasioncredential-accesscommand-and-control

Detection Query

selection_findstr:
  - CommandLine|contains: findstr
  - Image|endswith: findstr.exe
  - OriginalFileName: FINDSTR.EXE
selection_cli_download_1:
  CommandLine|contains|windash: " -v "
selection_cli_download_2:
  CommandLine|contains|windash: " -l "
selection_cli_download_3:
  CommandLine|contains: \\\\
condition: selection_findstr and all of selection_cli_download_*

Author

Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)

Created

2020-10-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.credential-accessattack.command-and-controlattack.t1218attack.t1564.004attack.t1552.001attack.t1105
Raw Content
title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.defense-evasion
    - attack.credential-access
    - attack.command-and-control
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_download_1:
        CommandLine|contains|windash: ' -v '
    selection_cli_download_2:
        CommandLine|contains|windash: ' -l '
    selection_cli_download_3:
        CommandLine|contains: '\\\\'
    condition: selection_findstr and all of selection_cli_download_*
falsepositives:
    - Unknown
level: medium