Unmanaged file searching with Filesearcher.exe

During our red team engagements, we are often reliant on a command and control infrastructure. Typically these infrastructures are capable of loading .NET assemblies in memory, which gave me the idea of coding a filesearcher assembly. This was partially invented because of a CTF event I was participating in which had me hunting several file systems for sensitive files, or files containing specific strings. This can all be done using commandline or powershell as well of course, but that would involve remembering syntaxes and it’s also less stealthy. After the CTF was over, I figured it might be useful in actual engagements as well.

Another reason for creating this tool is to get more acquainted with the Windows API and argument parsing in C# so we can leverage it more efficiently in our future tradecraft.

The help screen of Filesearcher

Filesearcher can search for files/directories with a specific string value (and accepts wildcards). However, that is not all the tool can do. The tool can also list mounted drives (does not support network shares for the moment, might be implemented in a future release) and more interestingly, can search for files/directories containing a specific key word.

As this is written in pure C#, it is possible to invoke it using your favourite command and control tool, for example through Cobalt-Strike’s execute assembly. The program will do what’s instructed and report back to the user on the next check in of the beacon.

Filesearcher conducting a search launched via cobalt strike beacon.

The tool is now available and is fully open source at https://github.com/NVISO-BE/FileSearcher. We hope this tool can help you in your next CTF or assessment!

Disclaimer: this tool is intended for ethical purposes and we do not condone nefarious usage.

About the author

Jean-François Maes is a red teaming and social engineering expert working in the NVISO Cyber Resilience team. When he is not working, you can probably find Jean-François in the Gym or conducting research. He was also ranked #1 on the Belgian leaderboard of Hack The Box (a popular penetration testing platform). You can find Jean-François on LinkedIn and on Hack The Box

Leave a Reply