Find-InterestingFile - Empire Module

This page contains detailed information about how to use the powershell/collection/find_interesting_file Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Find-InterestingFile
Module: powershell/collection/find_interesting_file
Source code [1]: empire/server/modules/powershell/collection/find_interesting_file.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/powerview.ps1
MITRE ATT&CK: T1083
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes

The find_interesting_file module finds sensitive files on the domain.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the find_interesting_file module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the find_interesting_file module:

Agent
Agent to run module on.

Path
UNC/local path to recursively search.

Additional Module Options

---

This is a list of additional options that are supported by the find_interesting_file module:

CheckWriteAccess
Switch. Only returns files the current user has write access to.

CreationTime
Only return files with a CreationDate greater than this date value.

ExcludeHidden
Switch. Exclude hidden files and folders from the search results.

FreshEXES
Switch. Find .EXEs accessed in the last week.

LastAccessTime
Only return files with a LastAccessTime greater than this date value.

OfficeDocs
Switch. Return only office documents.

OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.

Terms
Comma-separated terms to search for (overrides defaults).

Find_interesting_file Example Usage

---

Here's an example of how to use the find_interesting_file module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/find_interesting_file

 Author       @harmj0y                                                       
 Background   True                                                           
 Comments     https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/ 
 Description  Finds sensitive files on the domain.                           
 Language     powershell                                                     
 Name         powershell/collection/find_interesting_file                    
 NeedsAdmin   False                                                          
 OpsecSafe    True                                                           
 Techniques   http://attack.mitre.org/techniques/T1083                       


,Record Options----,------------,----------,-------------------------------------,
| Name             | Value      | Required | Description                         |
|------------------|------------|----------|-------------------------------------|
| Agent            |            | True     | Agent to run module on.             |
|------------------|------------|----------|-------------------------------------|
| CheckWriteAccess |            | False    | Switch. Only returns files the      |
|                  |            |          | current user has write access to.   |
|------------------|------------|----------|-------------------------------------|
| CreationTime     |            | False    | Only return files with a            |
|                  |            |          | CreationDate greater than this date |
|                  |            |          | value.                              |
|------------------|------------|----------|-------------------------------------|
| ExcludeHidden    |            | False    | Switch. Exclude hidden files and    |
|                  |            |          | folders from the search results.    |
|------------------|------------|----------|-------------------------------------|
| FreshEXES        |            | False    | Switch. Find .EXEs accessed in the  |
|                  |            |          | last week.                          |
|------------------|------------|----------|-------------------------------------|
| LastAccessTime   |            | False    | Only return files with a            |
|                  |            |          | LastAccessTime greater than this    |
|                  |            |          | date value.                         |
|------------------|------------|----------|-------------------------------------|
| OfficeDocs       |            | False    | Switch. Return only office          |
|                  |            |          | documents.                          |
|------------------|------------|----------|-------------------------------------|
| OutputFunction   | Out-String | False    | PowerShell's output function to use |
|                  |            |          | ("Out-String", "ConvertTo-Json",    |
|                  |            |          | "ConvertTo-Csv", "ConvertTo-Html",  |
|                  |            |          | "ConvertTo-Xml").                   |
|------------------|------------|----------|-------------------------------------|
| Path             |            | True     | UNC/local path to recursively       |
|                  |            |          | search.                             |
|------------------|------------|----------|-------------------------------------|
| Terms            |            | False    | Comma-separated terms to search for |
|                  |            |          | (overrides defaults).               |
'------------------'------------'----------'-------------------------------------'

(Empire: usemodule/powershell/collection/find_interesting_file) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/find_interesting_file) > set Path some\path
[*] Set Path to some\path
(Empire: usemodule/powershell/collection/find_interesting_file) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @harmj0y

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/find_interesting_file.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1
• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
• http://attack.mitre.org/techniques/T1083

See Also

---

Check also the following modules related to this module:

• powershell/recon/find_fruit
• powershell/situational_awareness/network/powerview/find_foreign_user
• powershell/situational_awareness/network/powerview/find_gpo_computer_admin
• powershell/situational_awareness/network/powerview/find_localadmin_access
• powershell/situational_awareness/network/powerview/find_foreign_group
• powershell/situational_awareness/network/powerview/find_gpo_location
• powershell/situational_awareness/network/powerview/find_managed_security_group
• powershell/privesc/powerup/find_dllhijack
• powershell/collection/vaults/find_keepass_config
• python/situational_awareness/network/find_fruit
• powershell/situational_awareness/network/powerview/share_finder
• powershell/situational_awareness/host/findtrusteddocuments
• powershell/collection/file_finder
• python/situational_awareness/network/active_directory/get_fileservers
• python/privesc/osx/dyld_print_to_file
• powershell/situational_awareness/network/powerview/get_fileserver
• python/persistence/multi/desktopfile

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.