Search for Files on Machines
Note
To use these features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success representative to request access to this package.
When investigating malicious operations, you can search for problematic files in the following scenarios:
You have intelligence from global threat intelligence feeds about a malicious file.
You found a malicious file on a machine in your organization and want to see if other machines contain the same file.
You know the file is malicious but the file has not run on a machine. Because the file has not run, the Cybereason platform may not have detected the file as part of the sensor’s normal data collection.
To address these situations, you can use the Cybereason platform’s Live File search screen to search for malicious files throughout your organization’s machines.
You can also search for files using the Cybereason API. For details see the Hunting and Investigation API Reference section of the Cybereason API Reference.
Perform a file search
Note
The Cybereason platform’s file search performs a live file search and is available only when a machine is online and the sensor is connected to the Cybereason platform.
To perform a file search, follow these steps:
Open a Technical Support to upgrade your environment and add the DFIR package to your environment. As part of the DFIR package enablement, Live File Search is also enabled for your environment.
After you enable file search, have a user admin assign you the Responder L1, Responder L2, or Local Responder role (if your Cybereason environment uses sensor grouping.
Note
If you have the Responder L1/L2 or Local Responder role required to use the Live File Search screen, and then your role is set to a predefined role, such as Super user, the permission for file search is removed and Technical Support must re-enable file search access for you.
In your Cybereason platform, navigate to the Live File Search screen.
Select the Standard Search tab.
In the File Properties section, in the Name field, enter the string for the search. Options for search strings include:
The full file name
Partial file name
File format type
(Version 23.2.163 and later) Multiple file names separated by a semicolon (;) character to search for multiple files with the OR operator.
(Version 23.2.163 and later) A regular expression pattern with the regex expression and double colons.
Absolute correct capitalization is not mandatory, as searches are not case-sensitive.
The Cybereason platform does not find partial matches. If you are unsure of the full file name, include a wildcard character (*).
Cybereason searches only by file name, not by the path to the file.
Below the Name field, optionally use the relevant field to add any of the filters to your search:
File Size
In the Size field, select an operator (Greater than, Less than, Equals, or Between), a file size unit (Bytes, KB, MB, or GB), and a file size.
File creation or modification time
In the Time field, select Created or Modified, an operator (Before, After, or Between), and then enter a time from the calendar widget.
On Windows machines, this value is the time when the file was created. On Linux machines, this value is the time the file status changed.
Folder
In the Folders field, enter one or more folder paths, separated by a comma.
In the folder path, you can enter specific paths and/or use environment variables, such as %userprofile% or C:UsersPublicLibraries.
Using this format enables you to narrow down searches and improve search performance.
In the Location section, create a filter to limit the search to specific machines.
Cybereason recommends that you use this field to limit the effect the file search has on your servers. If you do not set a filter for machines for a file search operation, the file search operation runs on all machines currently connected to your Cybereason platform.
In the Machines field, you can specify machines in a number of ways:
Search all machines
In the dropdown list, select All.
If you select this option, there is a maximum of 5000 machines for the file search operation.
Search machines that meet a specific filter criteria
In the dropdown list, select Query.
You should use this option when you know the parameters of a file search operation, such as machines of a certain operating system, online machines, and so forth.
This option enables you to search any machine based on machine characteristics. Available characteristics for filtering include:
Machine name
Machine FQDN
Sensor version
CPU usage
Memory usage
OS
OS version
Anti-Ransomware mode
PowerShell mode
Remote Shell mode
Data collection mode
Internal IP address of the machine
External IP address of the machine
Isolated status of the machine
App control mode
Sensor status
Service status
Outdated status of the machine
Signatures mode for the Anti-Malware > Signatures mode
Signatures DB version
Anti-Malware mode
Exploit Protection mode
Behavioral doc mode
Behavioral doc sensitivity
AI Detect mode
AI Prevent mode
Signatures mode origin
For a more detailed description of these options, see Export Sensor Metadata.
Search a specific list of machines
In the dropdown list, select CSV file.
This option is best used when there were failures on a previous file search and you need to run the file search operation on specific machines.
Click Upload CSV with machine list* to add the CSV file with the machine names.
In the CSV file, you must add a column named MachineName with a list of machine names.
For example, you could prepare a CSV file like this:
MachineName
Win10-x64-20h1
Win10-x64-rs5
ron10x64
win10-x64-20h1
Next to the Search button, click the clock icon and select the timeout interval for the file search operation.
Note
If you set a lower timeout interval, the effect on your server’s performance will be lower.
By default, the search timeout is 10 minutes. You can select any interval from five minutes to sixty minutes and click Apply.
The time interval means that the Cybereason platform performs a simultaneous search on all selected machines, for up to the time limit specified.
Click Search.
The Cybereason platform sends the search parameters to the machines you specified.
Note
The Cybereason platform searches only the file system, including external drives, but does not search network drives.
The file search operation runs in the background, using only CPU resources that are not used by other processes. The Cybereason platform limits CPU usage so as not to interfere with machine functionality. If the machine is undergoing intensive activity, the file search operation slows significantly.
While the Cybereason platform searches, view the progress of the search in the progress bar. Click Abort to abort searches that are in progress. This is useful if you have reached the limit of 10 searches in the queue per sensor, or if a search is taking too long.
You can run up to 10 multiple concurrent searches on any given machine.
The Cybereason platform displays search results when the platform finds the file on a machine. For each file, Cybereason lists the file name, machine, file path, size, and creation and modification dates:
Note
If your environment uses sensor grouping and you have the Local Responder role assigned for your Cybereason user, you can view only the results from sensors in the groups to which you are assigned.
Click Export results to download a CSV list of all results.
You can also see the overall success for the file search on the machines above the results grid:
As the file search runs or after it finished, view the status:
Search status |
Description |
---|---|
In Progress |
Search is in progress |
Completed |
Search has completed |
Aborted |
Search was aborted |
Aborting |
The abort button was pressed, search is being aborted |
Too many results |
Search was aborted since since the results limit was exceeded |
Click Export search status to download a CSV list of the statuses and details on the file search operation for each machine. The search status export is always available even if there are no results from the file search operation.
Perform a file search with YARA rules
You can search for suspicious files using YARA rules. You can upload a YAR file and filter according to the rules in that file. You can also use YARA rule searches together with the other filters on the File search screen.
Note
File search with YARA rules is not supported for machines running supported versions of Linux on versions 23.1.148 and earlier.
You use YARA rules to identify:
Malware
IOCs of malware
Any suspicious files that could be a sign of an attack an analyst would like to identify
YARA rules enable you to use binary patterns to identify malware. This is helpful in cases where a malware file was slightly tampered with (e.g. its hash was altered) compared with the file known to threat intelligence sources, making it hard to detect using other methods.
To search with YARA rules, follow these steps:
In the File search screen, select the YARA search tab.
In the YARA search tab, in the YAR file option section, click Upload YAR file to upload a YAR file containing the YARA rules to use in the search. The YAR file size must be less than 5 MB.
If needed, for the Time option, select Created or Modified, an operator (Before, After, or Between) and then enter a time from the calendar widget.
In the Size field, select an operator (Greater than, Less than, Equals, or Between), a file size unit (Bytes, KB, MB, or GB) and a file size.
In the Folders option, add at least one folder path.
The folder path is necessary since otherwise, the search would take too much time and resources. A warning is displayed if no folder is enter and the Search button is disabled without entering a folder path.
In the Location section, create a filter to limit the search to specific machines.
Cybereason recommends that you use this field to limit the file search effect on your servers. If you do not set a filter for machines for a file search operation, the file search operation runs on all machines currently connected to your Cybereason platform.
In the Machines field, you can specify machines in a number of ways:
Search all machines
In the dropdown list, select All.
If you select this option, there is a maximum of 5000 machines for the file search operation.
Search machines that meet a specific filter criteria
In the dropdown list, select Query.
You should use this option when you know the parameters of a file search operation, such as machines of a certain operating system, online machines, and so forth.
This option enables you to search any machine based on machine characteristics. Available characteristics for filtering include:
Machine name
Machine FQDN
Sensor version
CPU usage
Memory usage
OS
OS version
Anti-Ransomware mode
PowerShell mode
Remote Shell mode
Data collection mode
Internal IP address of the machine
External IP address of the machine
Isolated status of the machine
App control mode
Sensor status
Service status
Outdated status of the machine
Signatures mode for the Anti-Malware > Signatures mode
Signatures DB version
Anti-Malware mode
Exploit Protection mode
Behavioral doc mode
Behavioral doc sensitivity
AI Detect mode
AI Prevent mode
Signatures mode origin
For a more detailed description of these options, see Export Sensor Metadata.
Search a specific list of machines
In the dropdown list, select CSV file.
This option is best used when there were failures on a previous file search and you need to run the file search operation on specific machines.
Click Upload CSV with machine list* to add the CSV file with the machine names.
In the CSV file, you must add a column named MachineName with a list of machine names.
For example, you could prepare a CSV file like this:
MachineName
Win10-x64-20h1
Win10-x64-rs5
ron10x64
win10-x64-20h1
By default, the search timeout is 10 minutes. You can select any interval from five minutes to sixty minutes and click Apply.
Click Search.
While the Cybereason platform scans files against the YARA rules, files are temporarily locked for a few seconds, and end users cannot delete the file.
For large files, only the first 100 MB of each file is scanned.
If a file takes over 10 seconds to scan, the file search operation times out and proceeds to the next file.
Note
If your environment uses sensor grouping and you have the Local Responder role assigned for your Cybereason user, you can view only the results from sensors in the groups to which you are assigned.
In search results, the Matched YARA rules column displays the YARA rules that matched the rules in the YAR file:
Note
If many sensors seem to have stopped, check the YARA rules you entered. If they are too complex, sensors may stop if they experience heavy load when scanning using these rules.