Scanning for certai...
 
Notifications
Clear all

Scanning for certain types of files across 10K computers

9 Posts
6 Users
0 Likes
916 Views
(@data_connected)
Posts: 2
New Member
Topic starter
 

Hi, would anyone know what will be the best method to search for certain kind of files across large amount of computers (say like 10K)? 

 
Posted : 03/11/2020 4:51 pm
(@mister4n6)
Posts: 12
Active Member
 

Hi - a lot of variables here.

Does the large amount of computers have an agent already running and feeding into a central place?

Have you taken a look at or POC'd any tools such as, https://github.com/google/grr

Are you seeking a tool to FIM and the pull a forensic file from all machines at once. i.e push, pull, delete, also remote wipe?

 

 
Posted : 04/11/2020 2:15 pm
(@data_connected)
Posts: 2
New Member
Topic starter
 

@mister4n6 thank you so much for your response! Nope.. there isn’t any agent install yet. The idea is to search for certain file names and types in the users computers. Just to identify which users have that kind of files.

Ideally is get maybe only the metadata from all the users computers and ingest it in a central location so the search can  be done. I hoping to see if anyone know of such tool? 

 
Posted : 04/11/2020 3:29 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

How to identify the file? Because of its name, hash or strings inside?
And you are talking about Windows, yes? Which versions?

 

regards, Robin

 
Posted : 04/11/2020 3:59 pm
(@mister4n6)
Posts: 12
Active Member
 

Hi - @data_connected

Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.

Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:

"Which Win10x64 hosts across the (say about :P) 10k fleet has a spam.zip in their \Downloads dir?"

"Which host across the 10k fleet is running gdm3 on Ubuntu 20.10?"

This reminds me when I got speaking to someone from Tanium and they explained a bunch of things along the lines of this.

Since the 4th, have you solved this problem or come up with ideas you would be open to sharing here?

 

 

 

 
Posted : 13/11/2020 12:35 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

For that many computers I would hope there is an IT department that manages that population of endpoints. If so, I would check with them to see what capabilities they might have.

 
Posted : 16/11/2020 3:59 pm
(@c-r-s)
Posts: 170
Estimable Member
 

I once did that with a few lines of PowerShell, deployed via GPO. It depends on how you want to search and the environmental and task-specific requirements, obviously.

 
Posted : 21/11/2020 11:58 pm
(@richardadamsphd)
Posts: 1
New Member
 

Hi, I may be somewhat biased as I have been helping to develop such a tool for several years 😀 

Have a look at ISEEK on xtremeforensics.com

It doesn't need installation and will generate a report of the results in a csv if that is all you want.

Regards, Richard

 
Posted : 24/11/2020 4:56 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 
Posted by: @mister4n6

Hi - @data_connected

Sounds like the solution here could be a SIEM. I say this because you want/require a central repository to _search_ for answers.

Whatever platform these say like 10k hosts are running, their OS, system, security logs will need to be centralized, and for files an EDR solution w/ FIM to then pose questions like:

 

No, no and no. A SIEM is not a digital shithole! A SIEM stores and correlates Security Incidents and Events, not all file names or metadata from workstations within the company. Exactly this is one of the many reasons why so many SOC and their SIEM in use are failing.

The question was related to an enterprise wide search of "certain kind of files" and the possible answers could potentially be an asset management/ inventory system or as C.R.S said, a simple script in Powershell.

EDR and SIEM are technologies and solutions for completley different scenarios and use cases.

regards, Robin

 

This post was modified 3 years ago by Bunnysniper
 
Posted : 24/11/2020 2:15 pm
Share: