Incident Response - Fast suspicious file finder

Overview

FastFinder - Incident Response - Fast suspicious file finder

What is this project designed for?

FastFinder is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform. It is focused on enpoint enumeration and suspicious file finding based on various criterias:

  • file path / name
  • simple string content match
  • complex content condition(s) based on YARA

Installation

Compiled release of this software are available. If you want to compile from sources, it could be a little bit tricky cause it's stronly depends of go-yara and CGO compilation. Anyway, you'll find a detailed documentation here

Usage

fastfinder [-h|--help] -c|--string "<value>"

Arguments:

  -h  --help    Print help information
  -c  --configuration  fastfind configuration file

Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

Scan and export file match according to your needs

a configuration file example is available here in this repository

input:
    path: [] # match file path AND / OR file name based on simple string 
    content:
        grep: [] # match literal string value inside file contente
        yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
options:
    findInHardDrives: true	# enumerate hard drive content
    findInRemovableDrives: true # enumerate removable drive content 
    findInNetworkDrives: true # enumerate network drive content
output:
    base64Files: true # base64 matched content before copy
    filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder

Note for input path:

  • '?' for simple char and '\*' for multiple chars wildcards are available for simple string
  • environment variables are also available
  • regular expression are allowed , they should be enclosed by //
  • input path are always case INSENSITIVE
  • input content grep strings are always case SENSITIVE
  • backslashes haven't to be escaped on simple string pattern (see example)

About this project and future versions

I initially created this project to automate the creation of fastfind on a wide computer network. It fulfills the needs I have today, nevertheless if you have complementary ideas, do not hesitate to ask for, I will see to implement them if they can be useful for everyone. On the other hand, pull request will be studied carefully.

You might also like...
Fast scan for redtools
Fast scan for redtools

scaninfo by 华东360安服团队 注意的点 漏洞扫描的时候有时候最后几个任务会卡住,是因为ftp爆破模块,这个fscan也一样目前没有好的解决办法,后续更新.先阶段可以-eq 21跳过ftp,或者control+c 主动停止不影响结果保存。 有时候扫外网的全端口会漏掉端口可以使用-n 指定

XXTEA is a fast and secure encryption algorithm.

XXTEA Golang Introduction xxtea is a fast and secure encryption algorithm. This project is the Golang implementation of the xxtea encryption algorithm

Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Ffuf - A fast web fuzzer written in Golang
Ffuf - A fast web fuzzer written in Golang

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

Find secrets and passwords in container images and file systems
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.
End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.

wormhole-william-mobile This is a Magic Wormhole client for Android. (Perhaps someday this will also support iOS). Some current limitations: Receiving

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with 💙 by edoardottt. Share on Twitter! P

Curl & exec binary file in one step. Also a kind of stealth dropper.
Curl & exec binary file in one step. Also a kind of stealth dropper.

curlNexec 👋 Certainly useful , mainly for fun, rougly inspired by 0x00 article Short story curlNexec enable us to execute a remote binary on a local

Comments
  • 2.0.0 beta

    2.0.0 beta

    • scan performance improvements (up to 40%)
    • configuration and yara rules RC4 cipher
    • cross-platform SFX deployment kit
    • output and file logger complete rework
    • advanced UI with openfiledialog and realtime logger view
    opened by codeyourweb 0
Releases(2.0.0)
  • 2.0.0(Jan 30, 2022)

    What's new?

    [v 2.0.0]

    • scan performance improvements (up to 40%)
    • configuration and yara rules RC4 cipher
    • cross-platform SFX deployment kit
    • output and file logger complete rework
    • advanced UI with openfiledialog and realtime logger view
    • triage mode and file and directory watcher
    • CI and unit testing

    Ready for battle!

    • fastfinder has been tested with several CERT, CSIRT and SOC use cases
    • examples directory now include real malwares , suspect behaviors or vulnerability scan

    Usage

    ==================================================
      ___       __  ___  ___         __   ___  __
     |__   /\  /__`  |  |__  | |\ | |  \ |__  |__)
     |    /~~\ .__/  |  |    | | \| |__/ |___ |  \
    
      2021-2022 | Jean-Pierre GARNIER | @codeyourweb
      https://github.com/codeyourweb/fastfinder
    ==================================================
    usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--no-window]
                      [-u|--no-userinterface] [-v|--verbosity <integer>]
                      [-t|--triage]
    
                      Incident Response - Fast suspicious file finder
    
    Arguments:
    
      -h  --help              Print help information
      -c  --configuration     Fastfind configuration file. Default:
      -b  --build             Output a standalone package with configuration and
                              rules in a single binary
      -o  --output            Save fastfinder logs in the specified file
      -n  --no-window         Hide fastfinder window
      -u  --no-userinterface  Hide advanced user interface
      -v  --verbosity         File log verbosity
                                     | 4: Only alert
                                     | 3: Alert and errors
                                     | 2: Alerts,errors and I/O operations
                                     | 1: Full verbosity)
                                    . Default: 3
      -t  --triage            Triage mode (infinite run - scan every new file in
                              the input path directories). Default: false
    

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    Future release

    I don't plan to add any additional features right now. The next release will be focused on:

    • Stability / performance improvements
    • Unit testing / Code testing coverage / CI
    • Build more examples based on live malwares tradecraft and threat actor campaigns

    What's Changed

    • 2.0.0 beta by @codeyourweb in https://github.com/codeyourweb/fastfinder/pull/3 Full Changelog: https://github.com/codeyourweb/fastfinder/compare/1.4.2...2.0.0
    Source code(tar.gz)
    Source code(zip)
    fastfinder_v2.0.0-linux.zip(4.91 MB)
    fastfinder_v2.0.0-windows.zip(4.58 MB)
  • 1.4.2(Jan 5, 2022)

    What's new?

    [v1.4.2]

    • HTTP(S) distant config file
    • distant yara files in configuration (example here)
    • Github workflow and actions for future CI & CD
    • Several minor fixes and performances improvements
    • UI/UX and logging improvements

    Ready for battle!

    • fastfinder has been tested in real cases in multiple CERT, CSIRT and SOC
    • examples directory now include real malwares , suspect behaviors or vulnerability scan

    Usage

    ==================================================
      ___       __  ___  ___         __   ___  __
     |__   /\  /__`  |  |__  | |\ | |  \ |__  |__)
     |    /~~\ .__/  |  |    | | \| |__/ |___ |  \
    
      2021-2022 | Jean-Pierre GARNIER | @codeyourweb
      https://github.com/codeyourweb/fastfinder
    ==================================================
    usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--nowindow]
                      [-p|--showprogress] [-v|--version]
    
                      Incident Response - Fast suspicious file finder
    
    Arguments:
    
      -h  --help           Print help information
      -c  --configuration  Fastfind configuration file. Default: configuration.yaml
      -b  --build          Output a standalone package with configuration and rules
                           in a single binary
      -o  --output         Save fastfinder logs in the specified file
      -n  --nowindow       Hide fastfinder window
      -p  --showprogress   Display I/O analysis progress
      -v  --version        Display fastfinder version
    

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    Future release

    I don't plan to add any additional features right now. The next release will be focused on:

    • Stability / performance improvements
    • Unit testing / Code testing coverage / CI
    • Build more examples based on live malwares tradecraft and threat actor campaigns

    Full Changelog: https://github.com/codeyourweb/fastfinder/compare/1.4.1...1.4.2

    Source code(tar.gz)
    Source code(zip)
    fastfinder-1.4.2_release_linux.zip(4.10 MB)
    fastfinder-1.4.2_release_windows.zip(3.73 MB)
  • 1.4.1(Dec 12, 2021)

    What's new?

    [v1.4.0]

    • Parse content and calculate checksum from files inside archives

    [v1.4.1]

    • final console output changes

    Usage

    usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--nowindow]
                      [-p|--showprogress] [-v|--version]
    
                      Incident Response - Fast suspicious file finder
    
    Arguments:
    
      -h  --help           Print help information
      -c  --configuration  Fastfind configuration file. Default: configuration.yaml
      -b  --build          Output a standalone package with configuration and rules
                           in a single binary
      -o  --output         Save fastfinder logs in the specified file
      -n  --nowindow       Hide fastfinder window
      -p  --showprogress   Display I/O analysis progress
      -v  --version        Display fastfinder version
    

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    Future release

    I don't plan to add any additional features right now. The next release will be focused on:

    • Stability / performance improvements
    • Unit testing / Code testing coverage / CI
    • Build more examples based on live malwares tradecraft and threat actor campaigns

    Full Changelog: https://github.com/codeyourweb/fastfinder/compare/1.4.0...1.4.1

    Source code(tar.gz)
    Source code(zip)
    fastfinder-1.4.1_release_linux.zip(1.48 MB)
    fastfinder-1.4.1_release_windows.zip(2.72 MB)
  • 1.4.0(Dec 12, 2021)

    What's new?

    • Parse content and calculate checksum from files inside archives

    Usage

    usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--nowindow]
                      [-p|--showprogress] [-v|--version]
    
                      Incident Response - Fast suspicious file finder
    
    Arguments:
    
      -h  --help           Print help information
      -c  --configuration  Fastfind configuration file. Default: configuration.yaml
      -b  --build          Output a standalone package with configuration and rules
                           in a single binary
      -o  --output         Save fastfinder logs in the specified file
      -n  --nowindow       Hide fastfinder window
      -p  --showprogress   Display I/O analysis progress
      -v  --version        Display fastfinder version
    

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    Future release

    I don't plan to add any additional features right now. The next release will be focused on:

    • Stability / performance improvements
    • Unit testing / Code testing coverage / CI
    • Build more examples based on live malwares tradecraft and threat actor campaigns

    Full Changelog: https://github.com/codeyourweb/fastfinder/compare/1.3.0...1.4.0

    Source code(tar.gz)
    Source code(zip)
    fasterfinder-1.4_release_linux.zip(1.48 MB)
    fasterfinder-1.4_release_windows.zip(2.72 MB)
  • 1.3.0(Dec 7, 2021)

    What's new?

    • Cross-platform compatibility (Windows / Linux)
    • UI & scan progress rendering
    • Performances enhancement
    • Code refactoring and bug fixing

    Usage

    usage: fastfinder [-h|--help] [-c|--configuration "<value>"] [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--nowindow]
                      [-p|--showprogress] [-v|--version]
    
                      Incident Response - Fast suspicious file finder
    
    Arguments:
    
      -h  --help           Print help information
      -c  --configuration  Fastfind configuration file. Default: configuration.yaml
      -b  --build          Output a standalone package with configuration and rules
                           in a single binary
      -o  --output         Save fastfinder logs in the specified file
      -n  --nowindow       Hide fastfinder window
      -p  --showprogress   Display I/O analysis progress
      -v  --version        Display fastfinder version
    

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    Future release

    I don't plan to add any additional features right now. The next release will be focused on:

    • Stability / performance improvements
    • Unit testing / Code testing coverage / CI
    • Build more examples based on live malwares tradecraft and threat actor campaigns

    What's Changed

    • update to 1.3 cross-platform by @codeyourweb in https://github.com/codeyourweb/fastfinder/pull/2

    Full Changelog: https://github.com/codeyourweb/fastfinder/compare/1.2.0...1.3.0

    Source code(tar.gz)
    Source code(zip)
    fasterfinder-1.3_release_linux.zip(1.52 MB)
    fasterfinder-1.3_release_windows.zip(2.79 MB)
  • 1.2.0(Dec 5, 2021)

    What's new?

    This new version adds a lot of asked features uppon the v1.0 realease:

    • MD5/SHA1/SHA256 checksum matching
    • standard output and error can be redirected in a log file
    • CD-ROM, archives and virtual images parsing
    • ability to run fastfinder without rendering window
    • fastfinder executable, configuration and detection rules packing
    • bug bashing and performances improvement

    Usage

    usage: fastfinder [-h|--help] -c|--configuration "<value>" [-b|--build
                      "<value>"] [-o|--output "<value>"] [-n|--nowindow]
    
    Arguments:
    
      -h  --help                Print help information
      -c  --configuration   Fastfind configuration file
      -b  --build               Output a standalone package with configuration and rules in a single binary
      -o  --output            Save fastfinder logs in the specified file
      -n  --nowindow       Hide fastfinder window
    

    Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

    Scan and export file match according to your needs

    configuration examples are available under examples/ folder

    input:
        path: [] # match file path AND / OR file name based on simple string 
        content:
            grep: [] # match literal string value inside file contente
            yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
            checksum: [] # look for md5/sha1/sha256 file checksum match
    options:
        findInHardDrives: true	# enumerate hard drives content
        findInRemovableDrives: true # enumerate removable drives content 
        findInNetworkDrives: true # enumerate network drives content
        findInCDRomDrives: true # enumerate physical / virtual cd-rom drives content
    output:
        base64Files: true # base64 matched content before copy
        filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder
    

    Full Changelog: https://github.com/codeyourweb/fastfinder/compare/release...1.2.0

    Source code(tar.gz)
    Source code(zip)
    fastfinder_windows.zip(2.74 MB)
  • release(Nov 29, 2021)

    Usage

    fastfinder [-h|--help] -c|--string "<value>"
    
    Arguments:
    
      -h  --help    Print help information
      -c  --configuration  fastfind configuration file
    

    Depending on where you are looking for files, FastFinder could be used with admin OR simple user rights.

    Scan and export file match according to your needs

    a configuration file example is available here in this repository

    input:
        path: [] # match file path AND / OR file name based on simple string 
        content:
            grep: [] # match literal string value inside file contente
            yara: [] # use yara rule and specify rules path(s) for more complex pattern search (wildcards / regex / conditions) 
    options:
        findInHardDrives: true	# enumerate hard drive content
        findInRemovableDrives: true # enumerate removable drive content 
        findInNetworkDrives: true # enumerate network drive content
    output:
        base64Files: true # base64 matched content before copy
        filesCopyPath: '' # empty value will copy matched files in the fastfinder.exe folder
    
    Source code(tar.gz)
    Source code(zip)
    configuration.yaml.example(528 bytes)
    example.yar(128 bytes)
    fastfinder.exe(5.36 MB)
Owner
Jean-Pierre GARNIER
Jean-Pierre GARNIER
Session Cookie Finder

goSCF Session Cookie Finder - It helps you to find the main session cookie/s (upto 4) from the bunch of cookies, which is responsible for the user aut

Kamal Deep Bhati 8 May 28, 2022
crowdsec 5.6k Sep 20, 2022
A fast and easy to use URL health checker ⛑️ Keep your links healthy during tough times

AreYouOK? A minimal, fast & easy to use URL health checker Who is AreYouOk made for ? OSS Package Maintainers ??️

Bhupesh Varshney 29 Aug 23, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

dw1 140 Aug 28, 2022
A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

dw1 814 Sep 24, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 10k Sep 28, 2022
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

ProjectDiscovery 2.6k Sep 28, 2022
Fast web fuzzer written in Go

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \

null 7.8k Sep 28, 2022
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Sylabs Inc. 315 Sep 21, 2022
MX1014 is a flexible, lightweight and fast port scanner.

MX1014 MX1014 是一个遵循 “短平快” 原则的灵活、轻便和快速端口扫描器 此工具仅限于安全研究和教学,用户承担因使用此工具而导致的所有法律和相关责任! 作者不承担任何法律和相关责任! Version 1.1.1 - 版本修改日志 Features 兼容 nmap 的端口和目标语法 支持各

L 95 Sep 15, 2022