aboutsummaryrefslogtreecommitdiff
path: root/docs/Recon/Find-InterestingFile.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Recon/Find-InterestingFile.md')
-rwxr-xr-xdocs/Recon/Find-InterestingFile.md248
1 files changed, 248 insertions, 0 deletions
diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md
new file mode 100755
index 0000000..2fe6abf
--- /dev/null
+++ b/docs/Recon/Find-InterestingFile.md
@@ -0,0 +1,248 @@
+# Find-InterestingFile
+
+## SYNOPSIS
+Searches for files on the given path that match a series of specified criteria.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
+
+## SYNTAX
+
+### FileSpecification (Default)
+```
+Find-InterestingFile [[-Path] <String[]>] [-Include <String[]>] [-LastAccessTime <DateTime>]
+ [-LastWriteTime <DateTime>] [-CreationTime <DateTime>] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess]
+ [-Credential <PSCredential>]
+```
+
+### OfficeDocs
+```
+Find-InterestingFile [[-Path] <String[]>] [-OfficeDocs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+### FreshEXEs
+```
+Find-InterestingFile [[-Path] <String[]>] [-FreshEXEs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function recursively searches a given UNC path for files with
+specific keywords in the name (default of pass, sensitive, secret, admin,
+login and unattend*.xml).
+By default, hidden files/folders are included
+in search results.
+If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection
+is used to temporarily map the remote share.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingFile -Path "C:\Backup\"
+```
+
+Returns any files on the local path C:\Backup\ that have the default
+search term set in the title.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)
+```
+
+Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default
+search term set in the title and were accessed within the last week.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\"
+
+## PARAMETERS
+
+### -Path
+UNC/local path to recursively search.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: .\
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Include
+Only return files/folders that match the specified array of strings,
+i.e.
+@(*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: String[]
+Parameter Sets: FileSpecification
+Aliases: SearchTerms, Terms
+
+Required: False
+Position: Named
+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastAccessTime
+Only return files with a LastAccessTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastWriteTime
+Only return files with a LastWriteTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CreationTime
+Only return files with a CreationTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OfficeDocs
+Switch.
+Search for office documents (*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: OfficeDocs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FreshEXEs
+Switch.
+Find .EXEs accessed within the last 7 days.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FreshEXEs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeFolders
+Switch.
+Exclude folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeHidden
+Switch.
+Exclude hidden files and folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckWriteAccess
+Switch.
+Only returns files the current user has write access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+to connect to remote systems for file enumeration.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.FoundFile
+
+## NOTES
+
+## RELATED LINKS
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 21:50:13 +0000