search

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.26k stars 218 forks source link

Merge PR #120 #122

Closed nowhey2 closed 2 months ago

nowhey2 commented 3 months ago

We had a situation where we were wanting to look at the systems USB history. I was reminded of the module I did for metasploit eons ago and did a small modification to reg_query to now report the FILETIME of the parent key queried. I explain in the PR why only the parent key is reported. Sample output:

[07/29 22:45:56] beacon> reg_query HKLM SYSTEM\CurrentControlSet\Enum\USBSTOR
[07/29 22:45:56] [+] Running reg_query
[07/29 22:45:56] [*] Running reg_query
[07/29 22:45:58] [+] host called home, sent: 10304 bytes
[07/29 22:45:58] [+] received output:
07/29/2024 12:59:33      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_VendorCo&Prod_ProductCode&Rev_2.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven__USB&Prod__SanDisk_3.2Gen1&Rev_1.00

[07/29 22:46:01] beacon> reg_query HKLM SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000
[07/29 22:46:01] [+] Running reg_query
[07/29 22:46:01] [*] Running reg_query
[07/29 22:46:03] [+] host called home, sent: 10353 bytes
[07/29 22:46:03] [+] received output:
06/07/2024 08:56:39      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000\E0D55EA574E6174019470788&0

[07/29 22:46:11] beacon> reg_query HKLM SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000\E0D55EA574E6174019470788&0
[07/29 22:46:11] [+] Running reg_query
[07/29 22:46:11] [*] Running reg_query
[07/29 22:46:13] [+] host called home, sent: 10380 bytes
[07/29 22:46:13] [+] received output:
06/07/2024 08:56:39      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_0000\E0D55EA574E6174019470788&0
    DeviceDesc             REG_SZ          @disk.inf,%disk_devdesc%;Disk drive
    Capabilities           REG_DWORD       16
    Address                REG_DWORD       1
    ContainerID            REG_SZ          {52bb1a60-3d4a-59f6-9b94-24609eb400ec}
    HardwareID             REG_MULTI_SZ    USBSTOR\DiskKingstonDataTraveler_3.00000\0USBSTOR\DiskKingstonDataTraveler_3.0\0USBSTOR\DiskKingston\0USBSTOR\KingstonDataTraveler_3.00\0KingstonDataTraveler_3.00\0USBSTOR\GenDisk\0GenDisk
    CompatibleIDs          REG_MULTI_SZ    USBSTOR\Disk\0USBSTOR\RAW\0GenDisk
    ClassGUID              REG_SZ          {4d36e967-e325-11ce-bfc1-08002be10318}
    Service                REG_SZ          disk
    Driver                 REG_SZ          {4d36e967-e325-11ce-bfc1-08002be10318}\0001
    Mfg                    REG_SZ          @disk.inf,%genmanufacturer%;(Standard disk drives)
    FriendlyName           REG_SZ          Kingston DataTraveler 3.0 USB Device
    ConfigFlags            REG_DWORD       0

And so we were able to figure out which USB drive the administrator was using and giggles ensued.

freefirex commented 2 months ago

merged, thanks again!