MStrings

mStrings extracts strings from files and classifies them using regular expressions, YARA rules, and MITRE ATT&CK mappings. It highlights potential indicators of compromise and suspicious behavior, grouping matches by tactic and technique. Ideal for quickly surfacing malicious capabilities in binaries, scripts, and documents.

A MITRE Technique Lookup bar is available at the top of the GUI panel when mStrings is selected. You can paste a MITRE technique ID (e.g., T1055.001) into the field and click "Lookup" to open the corresponding page on attack.mitre.org. This is especially useful when reviewing detections with MITRE tags and needing additional context.

MStrings

Figure 5.10: MStrings

🔧 CLI Syntax

# Example 1: Scan a file
cargo run -p mstrings -- /path_to_file/

# Example 2: Save output as .txt
cargo run -p mstrings -- /path_to_file/ -o -t

# Example 3: Save output to a case folder
cargo run -p mstrings -- /path_to_file/ -o -t --case CaseXYZ

Use -o to save output and include one of the following format flags: - -t → Save as .txt - -j → Save as .json - -m → Save as .md

If no file is provided, the tool will prompt you to enter the path interactively.

When --case is used, output is saved to:

saved_output/cases/CaseXYZ/mstrings/

Otherwise, results are saved to:

saved_output/mstrings/

The MITRE Lookup feature is only available in the GUI version of mStrings.