CoCalc -- enum_artifacts.md

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/post/windows/gather/enum_artifacts.md
Views: ¹⁹⁰⁴

Vulnerable Application

This module will check the file system and registry for particular artifacts.

The list of artifacts is read in YAML format from data/post/enum_artifacts_list.txt or a user specified file. Any matches are written to the loot.

Verification Steps

Start msfconsole
Get a session
Do: use post/windows/gather/enum_artifcats
Do: set SESSION <session id>
Do: run

Options

ARTIFACTS

Full path to artifacts file.

Scenarios

Windows 7 (6.1 Build 7601, Service Pack 1)

msf6 > use post/windows/gather/enum_artifacts 
msf6 post(windows/gather/enum_artifacts) > set session 1
session => 1
msf6 post(windows/gather/enum_artifacts) > set verbose true
verbose => true
msf6 post(windows/gather/enum_artifacts) > run

[*] Searching for artifacts of test_evidence
[*] Processing 2 file entries for test_evidence ...
[*] Processing 2 registry entries for test_evidence ...
[*] Artifacts of test_evidence found.
Evidence of test_evidence found.
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\DisplayName

[+] Enumerated Artifacts stored in: /root/.msf4/loot/20220807015628_default_192.168.200.190_enumerated.artif_933981.txt
[*] Post module execution completed