search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.22k stars 13.79k forks source link

Post/aux modules for Recall collection #19250

Open sempervictus opened 2 weeks ago

sempervictus commented 2 weeks ago

Summary

We probably want to include collection, parsing, and analysis of Recall data la this netexec PR or the totalrecall script.

Basic example

  1. Connect over RPC to remote windows machine/get a session (post version)
  2. Enumerate/qualify Recall state and storage locations
  3. Collect contents of storage and relevant registry/database info for access
  4. Parse and extract recall data
  5. Report notes, creds, and other useful information while storing parsed loot and (optionally) entire collected sample

Motivation

Because image

Marshall-Hallenbeck commented 2 weeks ago

Looks like @xaitax already pretty much did that? https://x.com/xaitax/status/1799140614241501550

xaitax commented 2 weeks ago

I will check what's required in terms of changes or if feasible at all on the 18th. 👍🏻 No point adding it now anymore.

adfoster-r7 commented 1 week ago

This sounds cool; Is it a useful module still with the recent news? 👀

xaitax commented 1 week ago

Hi @adfoster-r7

This sounds cool; Is it a useful module still with the recent news? 👀

I have the new CoPilot+ laptop and once they roll Recall out in the Insider channel I will work on version 2 of my TotalRecall script as well as adjusting my MSF module (as shown above).

Cheers, Alex