AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

30 January 2012

Hunting for Artifacts with Metasploit

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

A while back my boss, @BillDeanCCE, was looking for a way to check a machine for evidence of a compromise. He wanted to find files in specific locations with specific md5 checksums and wanted to find specific registry keys matching a particular value. I spent some time mulling this over and finally created a metasploit post module to do it.

First, obtain a meterpreter or shell session and load the module using use post/windows/gather/enum_artifacts.

Next, specify a configuration file containing the artifacts you want to find. The configuration file is written using YAML syntax and should be in the following format:

---
test_evidence:  # What the artifacts below are related to.
 files:
  - name: c:\ntdetect.com                  # File to find.
    csum: b2de3452de03674c6cec68b8c8ce7c78 # MD5 checksum.
  - name: c:\boot.ini
    csum: fa579938b0733b87066546afe951082c

 reg_entries:
  - key: HKEY_LOCAL_MACHINE\SYSTEM\Select  # Registry key
    val: Current                           # Value
    data: 1                                # Data
  - key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI
    val: DisplayName
    data: Microsoft ACPI Driver

Finally, run the enum_artifacts post module and it will search the computer in the specified session for any of the artifacts in the configuration file. Any matches are stored in the loot for later processing.

A default configuration file is included with Metasploit and located at data/post/enum_artifacts_list.txt. Currently, the configuration file contains only a couple of test artifacts, which were used to ensure the module worked properly. I would like to see the community get together and add artifacts to this file, artifacts that could allow pentesters to identify malware infections, installed software, or any number of other things.

If you have any questions or comments about this module or suggestions for improvements, please let me know.

tags: artifacts - metasploit - post exploitation