Powershell Script To Search For Files & Folders

(Ray) #1

As part of our company’s security policy we have a next generation firewall that does content filtering to block access to potentially harmful websites. This includes blocking access to Internet Proxy servers which can be used to bypass our content filtering firewall. As it turns out, there is another way, thank you Google. Chrome has several “vpn” / “proxy” extensions which can be installed. When you activate these you can bypass your company’s firewall or proxy server and access sites prohibited by your company, which in many cases the sites could be harmful.

A year or so ago I installed several of these extensions and figured out the IP’s and blocked them in the firewall. There was one in particular, “Browsec” which I could not block as it used way too many IPs. My best solution was to create a PowerShell script that searches all computer in the domain that have the Browsec extension installed. In order to do so the script has to search every user account on each computer.

So here is the “rough” PowerShell script I wrote to search every computer in my domain. You will need to fill out the -Seachbase OU & DC for your organization. I am not a PowerShell scripting expert as you will see when you run this. If it can’t find the filtered data it returns the dreaded red PowerShell letters. In this case red means its not present which is a good thing. If you see white, its a match and you have found that data. The top folder omghf is Browsec, and I don’t recall what the second one was. I figure this script could be edited to search for other files or folders in your organization if needed.

$ClientName = Get-AdObject -Filter * -Searchbase 'OU=Computers,DC=companyname,DC=com'| Select -ExpandProperty Name
ForEach ($Client in $ClientName)
    $UserName = Get-ChildItem \\$Client\c$\users\ | Select -ExpandProperty Name
    ForEach ($User in $UserName)
        Get-ChildItem \\$Client\c$\users\$User\AppData\Local\Google\Chrome\"User Data"\Default\Extensions\ -Filter *omghf*. -Recurse -Force
        Get-ChildItem \\$Client\c$\users\$User\AppData\Local\Google\Chrome\"User Data"\Default\Extensions\ -Filter *aennj*. -Recurse -Force

(Edwin Eekelaers) #2

@RayRay72, those dreaded red letters can be filteren by adding the bit -erroraction silentlycontinue at the end of the get-childitem lies. It actually supresses those errors.

Might It not be easier to push It via a Gpo or domain login script. Could make your code easier. For the rest i’d say nice thing you made.

(Ray) #3

Thanks Edwin, I will add that to my script.

We are a small company, only about 25 computers to search so I just run it manually every once in a while. We had a couple Interns last summer that were using it to get to prohibited sites. I noticed a huge increase in bandwidth and then figured out what they did. Since then nobody has used anything like that so its never been a big issue. Thanks again!

(Edwin Eekelaers) #4

Be careful with your execution policy as you don’t wanna leave the door open for malicious code.

(Chuck Kissel) #5

Great Script. I tell everyone to Work Smart and Never Work Hard. This is a great example. We use a different filter thankfully that can stop VPN and Proxy servers from the node. I will use those items you are filtering against my workstation auditing program and see if any workstation has those extensions installed.
My quess is that they are .DLL files?
Always nice to know if someone at least tried to bypass our security.

(Edwin Eekelaers) #6

I’d say nice to snee he found out about It.

Wat i would do is to throw that code in a function and store that function in the powershell ISE profile.

Here’s a version of wat i user to search for files. No paths or anything variabel in the code. Call the script wit path and vars.

Gives you thee change to change the varibles without reading.

function l4
  get-childitem -Path $start -Include $include -exclude $exclude -recurse -ErrorAction SilentlyContinue

Call function like this. *l4 c:* .epub notthis.epub

It’s only basic but easily changeable intro Search/Copy or Search/Destroy

Parameter 1 and 2 are mandatory. Nummer 3 isn’t