Process

unknown

findstr.exe

findstr.exe searches files for text using patterns and regular expressions, the Windows equivalent of grep. Administrators and scripts use it constantly. Attackers use it to hunt for passwords in files and, through a lesser-known quirk, to copy or read files from remote shares.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS4
  • findstr /V /L W3AllLov3LolBas {PATH_ABSOLUTE:.exe} > {PATH_ABSOLUTE}:file.exeADS · Add a file to an alternate data stream to hide from defensive counter measures
  • findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE}:file.exeADS · Add a file to an alternate data stream from a webdav server to hide from defensive counter measures
  • findstr /S /I cpassword \\sysvol\policies\*.xmlCredentials · Find credentials stored in cpassword attrbute
  • findstr /V /L W3AllLov3LolBas {PATH_SMB:.exe} > {PATH_ABSOLUTE:.exe}Download · Download/Copy file from webdav server

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

findstr.exe searches the contents of files for literal strings or regular expressions and prints the matching lines. It is a normal part of batch scripting and troubleshooting. It also has a quirk attackers exploit: it can read a target file across a UNC path, which lets it pull content from a remote share. The genuine binary lives at C:\Windows\System32\findstr.exe.

Legitimately, findstr appears throughout scripts and interactive troubleshooting. What it is searching for, and where, are what give an instance meaning.

Security notes

findstr.exe is a quick way to harvest credentials left in files (T1552.001). A search for terms like password across configuration files, scripts, and saved exports turns up plaintext secrets that applications and admins leave behind, a fast win during post-exploitation reconnaissance.

Its UNC-reading quirk also makes it a minor ingress tool (T1105): because findstr can read a file from a remote share, it can be used to pull content from another host through a signed binary. Because findstr is an everyday search tool, the search terms, the targets, and any remote paths are what separate ordinary scripting from credential hunting.

Anomaly signals5
  • Image path other than C:\Windows\System32\findstr.exehigh
  • Reading a file across a remote UNC path (\\host\share\...)high
  • Searching files or registry exports for password, passwd, or credential keywordsmed
  • Parent is an Office application, a script host, or an unfamiliar processmed
  • Recursive searches across user profiles or config directories for secretsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof findstr.exe?
Edit this page on GitHub