CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/post/windows/gather/enum_artifacts.md
Views: 11789

Vulnerable Application

This module will check the file system and registry for particular artifacts.

The list of artifacts is read in YAML format from data/post/enum_artifacts_list.txt or a user specified file. Any matches are written to the loot.

Verification Steps

  1. Start msfconsole

  2. Get a session

  3. Do: use post/windows/gather/enum_artifcats

  4. Do: set SESSION <session id>

  5. Do: run

Options

ARTIFACTS

Full path to artifacts file.

Scenarios

Windows 7 (6.1 Build 7601, Service Pack 1)

msf6 > use post/windows/gather/enum_artifacts 
msf6 post(windows/gather/enum_artifacts) > set session 1
session => 1
msf6 post(windows/gather/enum_artifacts) > set verbose true
verbose => true
msf6 post(windows/gather/enum_artifacts) > run

[*] Searching for artifacts of test_evidence
[*] Processing 2 file entries for test_evidence ...
[*] Processing 2 registry entries for test_evidence ...
[*] Artifacts of test_evidence found.
Evidence of test_evidence found.
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\DisplayName

[+] Enumerated Artifacts stored in: /root/.msf4/loot/20220807015628_default_192.168.200.190_enumerated.artif_933981.txt
[*] Post module execution completed