Post/aux modules for Recall collection

rapid7 / metasploit-framework

Metasploit Framework

https://www.metasploit.com/

Other

34.14k stars 13.97k forks source link

Post/aux modules for Recall collection #19250

Open sempervictus opened 5 months ago

sempervictus commented 5 months ago

Summary

We probably want to include collection, parsing, and analysis of Recall data la this netexec PR or the totalrecall script.

Basic example

Connect over RPC to remote windows machine/get a session (post version)
Enumerate/qualify Recall state and storage locations
Collect contents of storage and relevant registry/database info for access
Parse and extract recall data
Report notes, creds, and other useful information while storing parsed loot and (optionally) entire collected sample

Motivation

Because

Marshall-Hallenbeck commented 5 months ago

Looks like @xaitax already pretty much did that? https://x.com/xaitax/status/1799140614241501550

xaitax commented 5 months ago

I will check what's required in terms of changes or if feasible at all on the 18th. 👍🏻 No point adding it now anymore.

adfoster-r7 commented 4 months ago

This sounds cool; Is it a useful module still with the recent news? 👀

xaitax commented 4 months ago

Hi @adfoster-r7

This sounds cool; Is it a useful module still with the recent news? 👀

I have the new CoPilot+ laptop and once they roll Recall out in the Insider channel I will work on version 2 of my TotalRecall script as well as adjusting my MSF module (as shown above).

Cheers, Alex