Fixlet for searching files

anon73676091 · May 12, 2017, 6:48pm

I tried two method

Append file

appendfile “{concatenation “%0d%0a” of pathnames of descendants whose (name of it as lowercase starts with “pass.”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “%0d%0a”}”

create file
createfile until _end

I need just the results of the
{pathnames of descendants whose (name of it as lowercase starts with “password.”) of folders “” of drives whose (type of it=“DRIVE_FIXED”)}
Not get the result what am I missing

TimRice · May 13, 2017, 11:26pm

Relevance is a BAD way to do this.

It stems from how the client operates. 10ms of activity and 480ms of sleep.

I’m not clear on exactly what you are trying to do, but a better way might be to use a task to generate a list of all the files on the target, then you can use relevance to search the file.

I’ve done similar things in the past while looking for some potential infection indications.

anon73676091 · May 15, 2017, 11:04am

Tim

we have a requirement to search for files starting with password, pwd, passwd etc. Looking for best way to achieve it.

thanks

anon73676091 · May 15, 2017, 12:50pm

some like this

action script
delete __appendfile
delete "{pathname of parent folder of regapp “BESClient.exe”}\find.txt"
appendfile "Search for password"
appendfile "{concatenation “%0d%0a” of pathnames of descendants whose (name of it as lowercase starts with “password.”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “%0d%0a”}"
appendfile "Search for passwords"
appendfile "{concatenation “%0d%0a” of pathnames of descendants whose (name of it as lowercase starts with “passwords.”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “%0d%0a”}"
copy __appendfile “{pathname of parent folder of regapp “BESClient.exe”}\find.txt”

JasonWalker · May 15, 2017, 6:24pm

The key is to not perform this search using Relevance as that’s throttled by the client. Here’s an example to create a batch file and use the native DOS commands to do it -

action uses wow64 redirection false
delete __appendfile
appendfile {concatenation "%0d%0a" of ("dir %22" & item 1 of it & "\" & item 0 of it & "%22 /s /b >> c:\listing.txt") of (("password*";"pwd";"passwd*"), pathnames of folders "\" of drives whose (type of it="DRIVE_FIXED") ) }
delete find_files.cmd
move __appendfile find_files.cmd
delete c:\listing.txt
waithidden cmd /c find_files.cmd

When finished, the results should be in c:\listing.txt which you can read with an analysis or other tools.