Windows Gather File and Registry Artifacts Enumeration
This module will check the file system and registry for particular artifacts. The list of artifacts is read from data/post/enum_artifacts_list.txt or a user specified file. Any matches are written to the loot.
Rank
- Normal
Authors
- averagesecurityguy < stephen [at] averagesecurityguy.info >
Development
Similar Modules
- post/windows/gather/arp_scanner
- post/windows/gather/bitcoin_jacker
- post/windows/gather/cachedump
- post/windows/gather/checkvm
- post/windows/gather/credentials/coreftp
- post/windows/gather/credentials/credential_collector
- post/windows/gather/credentials/dyndns
- post/windows/gather/credentials/enum_cred_store
- post/windows/gather/credentials/enum_picasa_pwds
- post/windows/gather/credentials/epo_sql
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/enum_artifacts
msf post(enum_artifacts) > set SESSION [INTEGER]
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use post/windows/gather/enum_artifacts
msf post(enum_artifacts) > set SESSION [INTEGER]
Module Options
| ARTIFACTS | Full path to artifacts file. (default: /home/svn/jobs/msf3/data/post/enum_artifacts_list.txt) |
| SESSION | The session to run this module on. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |