Scanning for certai...
 
Notifications
Clear all

Scanning for certain types of files across 10K computers  

  RSS
Data_Connected
(@data_connected)
New Member

Hi, would anyone know what will be the best method to search for certain kind of files across large amount of computers (say like 10K)? 

Quote
Posted : 03/11/2020 4:51 pm
Mister4n6
(@mister4n6)
New Member

Hi - a lot of variables here.

Does the large amount of computers have an agent already running and feeding into a central place?

Have you taken a look at or POC'd any tools such as, https://github.com/google/grr

Are you seeking a tool to FIM and the pull a forensic file from all machines at once. i.e push, pull, delete, also remote wipe?

 

ReplyQuote
Posted : 04/11/2020 2:15 pm
Data_Connected
(@data_connected)
New Member

@mister4n6 thank you so much for your response! Nope.. there isn’t any agent install yet. The idea is to search for certain file names and types in the users computers. Just to identify which users have that kind of files.

Ideally is get maybe only the metadata from all the users computers and ingest it in a central location so the search can  be done. I hoping to see if anyone know of such tool? 

ReplyQuote
Posted : 04/11/2020 3:29 pm
Bunnysniper
(@bunnysniper)
Active Member

How to identify the file? Because of its name, hash or strings inside?
And you are talking about Windows, yes? Which versions?

 

regards, Robin

ReplyQuote
Posted : 04/11/2020 3:59 pm
Mister4n6
(@mister4n6)
New Member

Hi - @data_connected

Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.

Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:

"Which Win10x64 hosts across the (say about :P) 10k fleet has a spam.zip in their \Downloads dir?"

"Which host across the 10k fleet is running gdm3 on Ubuntu 20.10?"

This reminds me when I got speaking to someone from Tanium and they explained a bunch of things along the lines of this.

Since the 4th, have you solved this problem or come up with ideas you would be open to sharing here?

 

 

 

ReplyQuote
Posted : 13/11/2020 12:35 am
pbobby
(@pbobby)
Active Member

For that many computers I would hope there is an IT department that manages that population of endpoints. If so, I would check with them to see what capabilities they might have.

ReplyQuote
Posted : 16/11/2020 3:59 pm
C.R.S.
(@c-r-s)
Active Member

I once did that with a few lines of PowerShell, deployed via GPO. It depends on how you want to search and the environmental and task-specific requirements, obviously.

ReplyQuote
Posted : 21/11/2020 11:58 pm
RichardAdamsPhD
(@richardadamsphd)
New Member

Hi, I may be somewhat biased as I have been helping to develop such a tool for several years 😀 

Have a look at ISEEK on xtremeforensics.com

It doesn't need installation and will generate a report of the results in a csv if that is all you want.

Regards, Richard

ReplyQuote
Posted : 24/11/2020 4:56 am
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @mister4n6

Hi - @data_connected

Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.

Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:

 

No, no and no. A SIEM is not a digital shithole! A SIEM stores and correlates Security Incidents and Events, not all file names or metadata from workstations within the company. Exactly this is one of the many reasons why so many SOC and their SIEM in use are failing.

The question was related to an enterprise wide search of "certain kind of files" and the possible answers could potentially be an asset management/ inventory system or as C.R.S said, a simple script in Powershell.

EDR and SIEM are technologies and solutions for completley different scenarios and use cases.

regards, Robin

 

This post was modified 3 hours ago by Bunnysniper
ReplyQuote
Posted : 24/11/2020 2:15 pm
Share: