When on an assessment, one of the steps that a red teamer, or pen tester, might take is to search for files containing sensitive data. The sensitive data could contain credit cards, passwords, social security numbers, or more. There are numerous locations to search for files including:
- Searching for network shares
- Looking in a user’s Downloads directory
- Looking at a user’s Desktop
- …anywhere on a computer
Rather than manually searching for files, there may be an easier method. You can use CIM classes to search on your local system, or a remote system, to find a file that you’re searching for. To search for a file of value, the easiest way is to use the CIM_Datafile class. When using the CIM_Datafile class, you have the ability to specify a file extension to search for, or file name. Additionally, you can use wildcards when searching for a file to help expand the potential results you may receive.
To search for a file, you will need to create a filter for the file(s) that you are searching for. The filter should specify the drive that are you searching, and also include a filename or extension. So, let’s create a sample filter.
On a lab system, I downloaded WMImplant.ps1 to the desktop. When downloading to this system’s desktop, it means that it will be on the C:\ drive (on another note, there are no additional drives connected but there would not be any impact on the filter we are crafting). If I wanted to search on the target system’s C:\ drive for the file wmimplant, I would create the following filter:
$filefilter = Filename = ‘wmimplant’ AND Drive=’C:’
The consecutive command might look similar to the image below.
As shown in the above image, wmimplant.ps1 is located on the “user” user’s desktop, specifically at the path “C:\Users\User\Desktop\wmimplant.ps1”. However, you can also notice that there is a shortcut for the wmimplant located at “C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\WMImplant.lnk”. If you are dropping files on a system, this same search capability can help identify artifacts of the files you are leaving on each system.
The next question might be, what if you wanted to search for a specific file extension? There are multiple extensions you might be interested in, such as .sql, .stdid, potentially .ps1, etc. You can create a very similar filter that will search for the file extensions that you are interested in. It might look similar to the image below.
To search a remote system, all that is needed is to specify the -ComputerName parameter in the Get-WMIObject method. In the event that you are not currently running in the context of the user account that has local admin rights on the targeted system, you can supply a PSCredential object with Get-WMIObject and the -Credential command line parameter.
I hope this helps to document a means to search for interesting files on any system. If you have any questions, don’t hesitate to contact us as FortyNorth Security.