How to find unwanted files on workstations - SANS Internet Storm Center

How to find unwanted files on workstations
A few weeks ago I was asked to check every single workstation in the organisation for unwanted files. The types of files I was asked to look for were media files such as music and video, but also torrent files. The main objective was to identify breaches of policy and to allow removal of the unwanted files from the network. I will take you through what I did, which achieved the main objective relatively painlessly. Undoubtedly there better methods than what I'm about to describe and in fact I'm kind of counting on it, so feel free to share how you deal with the challenge. In the mean time this is what I ended up doing. I obviously didn't really want to visit every machine in the organisation and search the hard drive. Junior has been good lately, so sending him wasn't an option either. The first challenge was to identify the machines currently on the network. Being a windows environment, I considered using dsquery to grab the machine names from AD, but that didn't really work out nicely as the company has computers in all different kinds of OUs. WMIC also had similar limitations and Powershell, well let's just say I'm no Ed, Hal or Tom. I chose the easy option and used nmap. Convenient in this environment as the workstations are quite separate from the servers on their own subnet. The following nmap command does a quick ping sweep and places the results in a grepable output file. nmap -sP <ip-range>/<mask> -oG <filename> The the grep output from nmap looks as follows : Host: aaa.bbb.ccc.20 (machine1.domain.com) Status: Up Host: aaa.bbb.ccc.45 (machine45.domain.com) Status: Up Host: aaa.bbb.ccc.62 (machine62.domain.com) Status: Up … snip ... Host: aaa.bbb.ccc.100 (print01.domain.com) Status: Up Host: aaa.bbb.ccc.101 (print02.domain.com) Status: Up Host: aaa.bbb.ccc.102 (machine102.domain.com) Status: Up Host: aaa.bbb.ccc.115 (machine115.domain.com) Status: Up Host: aaa.bbb.ccc.150 (switch01.domain.com) Status: Up … snip ... From the list I culled those devices that I was not interested in, e.g. the printers and the switch, before building the commands and creating the batch file. To do the heavy lifting I used psexec from sysinternals, which allowed me to examine all the machines from one central machine. To create the command and resulting batch file I edited the output file from the nmap. find and replace Host: with PsExec.exe find and replace ( with -w C:\ cmd.exe /c "dir .mp3 .avi .mkv .mov torrent /s /b " > audit- find and replace domain.com with .txt find and replace ) Status: Up with <blank> (i.e. clear it out) What you end up with should look something like this for each of the entries in the nmap output file. PsExec.exe aaa.bbb.ccc.45 -w C:\ cmd.exe /c "dir .mp3 .avi .mkv .mov torrent /s /b " > audit-machine45.txt Save the file as a .bat file extension, make sure psexec is in the path of the user who will be running the batch file. What will it do? The command runs PsExec on the IP address, issues the command dir for those extensions listed and outputs the info in a local file called audit-<machinename>.txt. Because we are using a standard dir command you can easily look for any kind of file you like, or partial file names. Each of the output files will look something like this C:\Documents and Settings\jdoe\ Desktop\MUSAK\The Police\Greatest Hits\11 - The Police - Spirits In The Material World - Greatest H.mp3 Desktop\MUSAK\The Police\Greatest Hits\12 - The Police - Synchronicity II - Greatest Hits_120113005.mp3 Desktop\MUSAK\The Police\Greatest Hits\13 - The Police - Every Breath You Take - Greatest Hits_1201.mp3 Desktop\MUSAK\The Police\Greatest Hits\14 - The Police - King Of Pain - Greatest Hits_1201130115.mp3 Local Settings\Temporary Internet Files\Content.IE5\HKNBKI0L\novotelrestc[1].mov My Documents\private\vids\SouthPark DVDiv\X 809-814\813 - Cartman's Incredible Gift-AERiAL_mrtwig.net.avi Someone will need to inspect each of the result files and check to see if the materials are permitted to remain on corporate machines or whether they should be removed. Sometimes the owner wil not be obvious and you might need to examine the machine a little bit closer to determine the owner of the files. Once unwanted files have been identified I usually send the person a policy reminder and a request to have the materials removed. Second/third/nth offences however are passed on to the appropriate area to deal with. To give you an idea of the effort involved for a site of 400 plus machines (about 325 up when checking). Running the nmap - 15 minutes, Culling undesirable devices and doing the find and replace commands - 15 minutes. Running the batch file - 2 hrs. Checking the results - 1 hour, Sending the emails - 30 minutes (will obviously depend on how much you find I ended up sending 15). All in all a reasonably straight forward process and easily adapted to different file types, or file names. There are some limitations. The user running the psexec command must have privileges in the environment and the machines being checked should be part of the domain. Although you can pass alternate userid and passwords to the command if you want to. You will leave a user profile directory behind on the machine being checked. Only those machines accessible when the batch file is run will be checked, but you could make this part of a login process and write the results file to a network location instead. Quick and dirty I know, but does the job. How do you find files on your network, including workstations, that should probably not be there? Cheers Mark - Shearwater PS the diary editor seems to strip slashes so if it looks like there should be a backslash, you are probably right.	Mark 392 Posts ISC Handler Aug 15th 2011
Thread locked Subscribe	Aug 15th 2011 1 decade ago
Well, first off, I have not needed to do such a thing. Second, my network is considerably smaller. But... I do run complete system backups over the network every night to a disk array, so I can just search the array, essentially at my leisure, and get the answers. Furthermore, I can also answer the question whether a given file was present on a given machine on a particular night, and produce its contents -- even it it has since been deleted from that machine. Of course, there is a price: my method does all the work on a single machine, and a task such as this is mainly limited by disk thruput, so I will not get answers as quickly, but I do have more flexibility in the kinds of questions I can answer.	Moriah 133 Posts
Quote	Aug 15th 2011 1 decade ago
You backup up all your workstations? Excellent, not many organisations do. A good reminder though, many backup products allow you to search for this kind of information. There are also a number of commercial products on the market that will go and collect the information for you. M	Mark 392 Posts ISC Handler
Quote	Aug 15th 2011 1 decade ago
We typically use something like SMS/SCCM to run reports. A previous organisation that I worked for used a logon script with AIDA32 to keep an updated audit of all machines.	AshD 2 Posts
Quote	Aug 15th 2011 1 decade ago
i assume you didn't publish there the real commands used by the script because there are a few key issues with that dir command: a) it only searches the current directory and any subdirectories below it (where "current" when used with psexec means user profile directory) b) will not look for removable media or other partitions. point (b) is especially important because often users will bring in removable media (e.g. dvds with ripped movies or flash drives/portable media players if you don't have access controls enabled for usbstor devices) Also, (b) is important when users are told to never save important data on the c: partition and instead are told to use another location for user data. This is my case too, i configure the machines i manage to keep the "desktop" and "my documents" folders on a different partition. This way i can have a few systems with the c: partition frozen (deep freeze) while others can be re-imaged when needed without affecting user data.	JustAMouse 12 Posts
Quote	Aug 15th 2011 1 decade ago
oops.. didn't notice the -w c: psexec parameter, this means it only searches on the entire c:\ but still it doesn't look for other drives.	JustAMouse 12 Posts
Quote	Aug 15th 2011 1 decade ago
@A. Looks like the diary editor strips the slash. You are right it will only search the one drive in this case. In this instance I was only interested in the C drive which is the configuration at this particular site. The SOE is fairly strict so users don't get the opportunity to move things to other partitions. Mydocuments and other directories are redirected to a network share. A separate process picks up the files on the network drives. This was purely to find those files people were attempting to "hide" files on their workstation.	Mark 392 Posts ISC Handler
Quote	Aug 15th 2011 1 decade ago
Ok, well if you are using nmap in ping mode: you may not detect any computer that has Windows Firewall enabled, which defaults to blocking ICMP echo. If you continuously utilize a monitoring tool such as ARPWatch on every LAN, you might want to use the IP address database from that tool as well as the nmap results.	Mysid 146 Posts
Quote	Aug 15th 2011 1 decade ago
i would use psloggedin when running the psexec directory search command so I can see who's workstation it is.	Mysid 2 Posts
Quote	Aug 15th 2011 1 decade ago
here's a sample command that i use to audit and delete: FOR /R "%USERPROFILE%\Desktop" %%i in (.xls .xlsx .xlsm .xltx .xltm .xlsb .xlam .doc .docx .docm .dotx .dotm .ppt .pptx .pptm .potx .potm .ppam .ppsx .ppsm .pdf .txt .log .rtf .csv .zip) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% 2>&1	Mysid 3 Posts
Quote	Aug 15th 2011 1 decade ago
it screwed up that command pretty bad when i posted it., here's another try: FOR /R "%USERPROFILE%\Desktop" %%i in (.xls .xlsx .xlsm .xltx .xltm .xlsb *.xlam) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si	Mysid 3 Posts
Quote	Aug 15th 2011 1 decade ago
I give up	Mysid 3 Posts
Quote	Aug 15th 2011 1 decade ago
# find /home \( -iname '.mp3' -o -iname '.avi' -o ... \) I wish...	Steven C. 171 Posts
Quote	Aug 15th 2011 1 decade ago
I imagine most here know this already, but it might be worth mentioning that psexec might transmit credentials in clear text. I am typically a bit more paranoid than the average bear, but this is especially troubling given that this use case will leverage a privileged. domain account. Obviously, someone abusing this would need to be suitably positioned inside your network already... A workaround is to first establish a connection to the remote system's IPC$ share in advance of psexec being launched. I will mention that I was not able to reproduce the clear-text in my lab if launched from a Windows 7 box connecting to a remote WinXP box, so perhaps some change in Windows 7 has resolved this clear text issue. However, using the latest psexec binary, from WinXP to WinXP still results in clear-text credentials.	Steven C. 1 Posts
Quote	Aug 15th 2011 1 decade ago
Yes, I back up all workstations every night. I have consulted at organizations that said to keep important stuff on a designated server instead of your workstation so it would get backed up, but all too frequently, the sysadms do not give you nearly enough storage on that server. Also, you never really know what is important until its not there anymore. Allowing users to use their workstations like the personal computers they were intended to be, and just backing up the world every night, seems so much safer to me. There are also obvious forensic advantages to such an approach.	Moriah 133 Posts
Quote	Aug 16th 2011 1 decade ago
I did this kind of search eons ago, using a similar fashion of batch files. In thoses days (surely it's still possible) there was a utility to list Active Directory content, one param was domain members, ie workstations. Using that command, I was getting a batch running with \\machinename\c$\...\*.mp3 etc	Moriah 17 Posts
Quote	Aug 16th 2011 1 decade ago
For the UNIX folk forced to work this issue... (from Steven's comment above) One option is to map a drive from the system with a privileged credential, then run the "find" command or a variant of it. The mount command to use: ---------------------------------------- mount -t smbfs -o username=mywindows_username,password=xxxxxxx,uid=xx,gid=xx,rw //fileservername/share_name /mountpoint_for_audit -Kevin	Kevin Shortt 85 Posts ISC Handler
Quote	Aug 17th 2011 1 decade ago

A few weeks ago I was asked to check every single workstation in the organisation for unwanted files. The types of files I was asked to look for were media files such as music and video, but also torrent files. The main objective was to identify breaches of policy and to allow removal of the unwanted files from the network. I will take you through what I did, which achieved the main objective relatively painlessly. Undoubtedly there better methods than what I'm about to describe and in fact I'm kind of counting on it, so feel free to share how you deal with the challenge. In the mean time this is what I ended up doing.

I obviously didn't really want to visit every machine in the organisation and search the hard drive. Junior has been good lately, so sending him wasn't an option either. The first challenge was to identify the machines currently on the network. Being a windows environment, I considered using dsquery to grab the machine names from AD, but that didn't really work out nicely as the company has computers in all different kinds of OUs. WMIC also had similar limitations and Powershell, well let's just say I'm no Ed, Hal or Tom. I chose the easy option and used nmap. Convenient in this environment as the workstations are quite separate from the servers on their own subnet. The following nmap command does a quick ping sweep and places the results in a grepable output file.

nmap -sP <ip-range>/<mask> -oG <filename>

The the grep output from nmap looks as follows :

Host: aaa.bbb.ccc.20 (machine1.domain.com)    Status: Up
Host: aaa.bbb.ccc.45 (machine45.domain.com)    Status: Up
Host: aaa.bbb.ccc.62 (machine62.domain.com)    Status: Up
… snip ...
Host: aaa.bbb.ccc.100 (print01.domain.com)    Status: Up
Host: aaa.bbb.ccc.101 (print02.domain.com)    Status: Up
Host: aaa.bbb.ccc.102 (machine102.domain.com)    Status: Up
Host: aaa.bbb.ccc.115 (machine115.domain.com)    Status: Up
Host: aaa.bbb.ccc.150 (switch01.domain.com)    Status: Up
… snip ...

From the list I culled those devices that I was not interested in, e.g. the printers and the switch, before building the commands and creating the batch file.

To do the heavy lifting I used psexec from sysinternals, which allowed me to examine all the machines from one central machine. To create the command and resulting batch file I edited the output file from the nmap.

find and replace Host:  with PsExec.exe

find and replace ( with -w  C:\ cmd.exe /c "dir *.mp3 *.avi *.mkv *.mov *torrent* /s /b " > audit-

```
find and replace domain.com with .txt
```

find and replace ) Status: Up with <blank> (i.e. clear it out)

What you end up with should look something like this for each of the entries in the nmap output file.

PsExec.exe aaa.bbb.ccc.45 -w  C:\ cmd.exe /c "dir *.mp3 *.avi *.mkv *.mov *torrent* 
     /s /b " > audit-machine45.txt

Save the file as a .bat file extension, make sure psexec is in the path of the user who will be running the batch file.

What will it do? The command runs PsExec on the IP address, issues the command dir for those extensions listed and outputs the info in a local file called audit-<machinename>.txt. Because we are using a standard dir command you can easily look for any kind of file you like, or partial file names.

Each of the output files will look something like this

C:\Documents and Settings\jdoe\

Desktop\MUSAK\The Police\Greatest Hits\11 - The Police - Spirits In The Material World - Greatest H.mp3
Desktop\MUSAK\The Police\Greatest Hits\12 - The Police - Synchronicity II - Greatest Hits_120113005.mp3
Desktop\MUSAK\The Police\Greatest Hits\13 - The Police - Every Breath You Take - Greatest Hits_1201.mp3
Desktop\MUSAK\The Police\Greatest Hits\14 - The Police - King Of Pain - Greatest Hits_1201130115.mp3
Local Settings\Temporary Internet Files\Content.IE5\HKNBKI0L\novotelrestc[1].mov
My Documents\private\vids\SouthPark DVDiv\X 809-814\813 - Cartman's Incredible Gift-AERiAL_mrtwig.net.avi

Someone will need to inspect each of the result files and check to see if the materials are permitted to remain on corporate machines or whether they should be removed. Sometimes the owner wil not be obvious and you might need to examine the machine a little bit closer to determine the owner of the files. Once unwanted files have been identified I usually send the person a policy reminder and a request to have the materials removed. Second/third/nth offences however are passed on to the appropriate area to deal with.

To give you an idea of the effort involved for a site of 400 plus machines (about 325 up when checking).

Running the nmap - 15 minutes,
Culling undesirable devices and doing the find and replace commands - 15 minutes.
Running the batch file - 2 hrs.
Checking the results - 1 hour,
Sending the emails - 30 minutes (will obviously depend on how much you find I ended up sending 15).

All in all a reasonably straight forward process and easily adapted to different file types, or file names.

There are some limitations. The user running the psexec command must have privileges in the environment and the machines being checked should be part of the domain. Although you can pass alternate userid and passwords to the command if you want to. You will leave a user profile directory behind on the machine being checked. Only those machines accessible when the batch file is run will be checked, but you could make this part of a login process and write the results file to a network location instead.

Quick and dirty I know, but does the job. How do you find files on your network, including workstations, that should probably not be there?

Cheers

Mark - Shearwater

PS the diary editor seems to strip slashes so if it looks like there should be a backslash, you are probably right.

Mark

392 Posts
ISC Handler

Aug 15th 2011

Well, first off, I have not needed to do such a thing. Second, my network is considerably smaller. But... I do run complete system backups over the network every night to a disk array, so I can just search the array, essentially at my leisure, and get the answers. Furthermore, I can also answer the question whether a given file was present on a given machine on a particular night, and produce its contents -- even it it has since been deleted from that machine. Of course, there is a price: my method does all the work on a single machine, and a task such as this is mainly limited by disk thruput, so I will not get answers as quickly, but I do have more flexibility in the kinds of questions I can answer.

Moriah

133 Posts

You backup up all your workstations? Excellent, not many organisations do. A good reminder though, many backup products allow you to search for this kind of information. There are also a number of commercial products on the market that will go and collect the information for you.

M

Mark

392 Posts
ISC Handler

We typically use something like SMS/SCCM to run reports.

A previous organisation that I worked for used a logon script with AIDA32 to keep an updated audit of all machines.

AshD

2 Posts

i assume you didn't publish there the real commands used by the script because there are a few key issues with that dir command:

a) it only searches the current directory and any subdirectories below it (where "current" when used with psexec means user profile directory)

b) will not look for removable media or other partitions.

point (b) is especially important because often users will bring in removable media (e.g. dvds with ripped movies or flash drives/portable media players if you don't have access controls enabled for usbstor devices)

Also, (b) is important when users are told to never save important data on the c: partition and instead are told to use another location for user data. This is my case too, i configure the machines i manage to keep the "desktop" and "my documents" folders on a different partition. This way i can have a few systems with the c: partition frozen (deep freeze) while others can be re-imaged when needed without affecting user data.

JustAMouse

12 Posts

oops.. didn't notice the -w c: psexec parameter, this means it only searches on the entire c:\ but still it doesn't look for other drives.

JustAMouse

12 Posts

@A. Looks like the diary editor strips the slash. You are right it will only search the one drive in this case. In this instance I was only interested in the C drive which is the configuration at this particular site. The SOE is fairly strict so users don't get the opportunity to move things to other partitions. Mydocuments and other directories are redirected to a network share. A separate process picks up the files on the network drives. This was purely to find those files people were attempting to "hide" files on their workstation.

Mark

392 Posts
ISC Handler

Ok, well if you are using nmap in ping mode:
you may not detect any computer that has Windows Firewall enabled, which defaults to blocking ICMP echo.

If you continuously utilize a monitoring tool such as ARPWatch on every LAN, you might want to use the IP address database from that tool as well as the nmap results.

Mysid

146 Posts

i would use psloggedin when running the psexec directory search command so I can see who's workstation it is.

Mysid
2 Posts

here's a sample command that i use to audit and delete:

FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam *.doc *.docx *.docm *.dotx *.dotm *.ppt *.pptx *.pptm *.potx *.potm *.ppam *.ppsx *.ppsm *.pdf *.txt *.log *.rtf *.csv *.zip) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% 2>&1

Mysid
3 Posts

it screwed up that command pretty bad when i posted it., here's another try:

FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si

Mysid
3 Posts

I give up

Mysid
3 Posts

# find /home $ -iname '*.mp3' -o -iname '*.avi' -o ... $
I wish...

Steven C.

171 Posts

I imagine most here know this already, but it might be worth mentioning that psexec might transmit credentials in clear text. I am typically a bit more paranoid than the average bear, but this is especially troubling given that this use case will leverage a privileged. domain account. Obviously, someone abusing this would need to be suitably positioned inside your network already...

A workaround is to first establish a connection to the remote system's IPC$ share in advance of psexec being launched.

I will mention that I was not able to reproduce the clear-text in my lab if launched from a Windows 7 box connecting to a remote WinXP box, so perhaps some change in Windows 7 has resolved this clear text issue. However, using the latest psexec binary, from WinXP to WinXP still results in clear-text credentials.

Steven C.
1 Posts

Yes, I back up all workstations every night. I have consulted at organizations that said to keep important stuff on a designated server instead of your workstation so it would get backed up, but all too frequently, the sysadms do not give you nearly enough storage on that server. Also, you never really know what is important until its not there anymore. Allowing users to use their workstations like the personal computers they were intended to be, and just backing up the world every night, seems so much safer to me. There are also obvious forensic advantages to such an approach.

Moriah

133 Posts

I did this kind of search eons ago, using a similar fashion of batch files.

In thoses days (surely it's still possible) there was a utility to list Active Directory content, one param was domain members, ie workstations.

Using that command, I was getting a batch running with \\machinename\c$\...\*.mp3 etc

Moriah
17 Posts

For the UNIX folk forced to work this issue... (from Steven's comment above)

One option is to map a drive from the system with a privileged credential, then run the "find" command or a variant of it.

The mount command to use:
----------------------------------------
mount -t smbfs -o username=mywindows_username,password=xxxxxxx,uid=xx,gid=xx,rw //fileservername/share_name /mountpoint_for_audit

-Kevin

Kevin Shortt

85 Posts
ISC Handler