Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
A while back my boss, @BillDeanCCE, was looking for a way to check a machine for evidence of a compromise. He wanted to find files in specific locations with specific md5 checksums and wanted to find specific registry keys matching a particular value. I spent some time mulling this over and finally created a metasploit post module to do it.
First, obtain a meterpreter or shell session and load the module using use post/windows/gather/enum_artifacts
.
Next, specify a configuration file containing the artifacts you want to find. The configuration file is written using YAML syntax and should be in the following format:
--- test_evidence: # What the artifacts below are related to. files: - name: c:\ntdetect.com # File to find. csum: b2de3452de03674c6cec68b8c8ce7c78 # MD5 checksum. - name: c:\boot.ini csum: fa579938b0733b87066546afe951082c reg_entries: - key: HKEY_LOCAL_MACHINE\SYSTEM\Select # Registry key val: Current # Value data: 1 # Data - key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI val: DisplayName data: Microsoft ACPI Driver
Finally, run the enum_artifacts post module and it will search the computer in the specified session for any of the artifacts in the configuration file. Any matches are stored in the loot for later processing.
A default configuration file is included with Metasploit and located at data/post/enum_artifacts_list.txt
. Currently, the configuration file contains only a couple of test artifacts, which were used to ensure the module worked properly. I would like to see the community get together and add artifacts to this file, artifacts that could allow pentesters to identify malware infections, installed software, or any number of other things.
If you have any questions or comments about this module or suggestions for improvements, please let me know.
tags: artifacts - metasploit - post exploitation