Search for Files of Interest - Tutorial

Note

To use these features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success representative to request access to this package.

Sometimes, based on threat intelligence, you learn of specific files that are used for malicious purposes, such as part of an attack. As a result, you want to find out if this file is found in your organization.

Although you can find files through an investigation query, if the file has not executed, the sensor’s regular data collection does not see or collect data about the file. Using the file search enables you to find these files before they run.

This tutorial explains how to perform a file search on machines in your organization.

Search all sensors in the organization

The basic file search performs a search for a specific file name across all sensors in the organization, and returns details on where the file is found. You can search for an exact file name, or you can use wildcard characters to find files that have similar names or files of a specific type, such as all .exe file.

This tutorial searches for a fictitious file named ransom_encrypt.exe.

To perform a basic file search, follow these steps:

  1. In your Cybereason platform, navigate to the Live File Search screen.

  2. In the File Search screen, select the Standard search tab.

  3. In the Standard search screen, in the File properties section, in the Name field, enter the file name ransom_encrypt.exe.

  4. Click Search.

By default, the search will run for 10 minutes. If you want in later searches, you can extend the timeout period.

This search runs on up to 5000 sensors connected to your Cybereason environment.

The Cybereason platform saves the search so you can run it again in the future. You can also remove the search if you want to, or if you reach the maximum number of saved searches.

Search a specific machine or folder

Searching for only a file name could take a long time or lead to confusing results (especially if, for example, you use a wildcard to search for files of a specific type). To help you target the file search, you can search specific folders or machines.

For this tutorial, imagine you learned from threat intelligence that this ransomware is an attachment that users download. Therefore, you modify the existing search for ransom_encrypt.exe* to search the Downloads folder. If you know more about the file, such as the machines it targeted, or the time when it entered one machine in your organization, you can also search by Machines and Time.

To perform a more specific search, follow these steps:

  1. In the Live File Search screen, select the Standard search tab.

  2. In the Standard search tab, in the File properties section, in the Name field, enter ransom_encrypt.exe.

  3. Next to the File name field, find the Folders field. This is the place you enter the specific folders that you want to search.

  4. In the Folders field, enter %userprofile%/Downloads.

  5. Click Search.

By default, the search will run for 10 minutes. If you want in later searches, you can extend the timeout period.

This search runs on up to 5000 sensors connected to your Cybereason environment.

Analyze the results

When the search completes, the Cybereason platform displays the results in a grid at the bottom of the File Search screen.

The results list details about the file, including:

  • The file name

  • The machine name

  • The location of the file on the machine

  • Creation and modification times for the file

Using this information, you can remove the file from machines on which the file has not yet run before the file damages the machines.