On a red team engagement, our goal usually isn’t access, it’s data. While getting domain admin on a test is a great feeling, what actually matters to us is identifying what a customer is trying to protect and then targeting those crown jewels. Access is obviously a necessary component, but data mining is just as important.
Some of my previous posts have covered using PowerShell to quickly search for files of interest. These techniques were later incorporated into PowerView and have proved useful on many of our engagements. Being able to get a CSV of interesting files (all sortable by creation/access date) has really helped us find sensitive data in a compressed assessment timeframe. This is right in line with our philosophy of trying to “push down” some more traditional red team tradecraft into our more limited-timeframe engagements.
While this approach has proven useful, it still left something to be desired. Searching file names is great, and easy sorting by access date is even greater, but ideally we’d have an ability to search within files themselves for specific terms. I was talking with @obscuresec a bit ago on this topic, and he suggested that I check out another gift that Microsoft gave us pentesters, the Windows Search Index.
By default, the search indexer “indexes each user’s e-mail and Documents and Settings folders“. This is great for us, since admins tend to have sensitive data left lying around in desktop files as well as emails. Even better, we can query the search index programmatically through PowerShell. As I started to look into this approach and draft out a PoC, I stumbled upon an already complete solution by James ONeill. Not wanting to reinvent the wheel, I ran with James’ implementation.
My adaptation, Invoke-MassSearch, combines James’ Get-IndexedItem with the webserver weaponization approach utilized by Invoke-MassMimikatz. Just like the Mimikatz implementation, Invoke-MassSearch will stand up a web server in the background, trigger a download cradle on specified machines to download a specified PowerShell script from the attacker (in this case Get-IndexItem), and then base64/report the results back to the invoking system. This lets us run our search index queries across a given set of machines, all without relying on psremoting!
As a bonus, one of the fields returned is the incredibly useful AUTOSUMMARY. This field contains the section of a document that matches the submitted query. That is, the chunk of target text that you actually care about. This means that you often don’t even need to download the target doc, as the AUTOSUMMARY usually contains all the information you want!
Here’s how you can use it: