metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Post/aux modules for Recall collection

Open sempervictus opened this issue 1 year ago • 4 comments

Summary

We probably want to include collection, parsing, and analysis of Recall data la this netexec PR or the totalrecall script.

Basic example

  1. Connect over RPC to remote windows machine/get a session (post version)
  2. Enumerate/qualify Recall state and storage locations
  3. Collect contents of storage and relevant registry/database info for access
  4. Parse and extract recall data
  5. Report notes, creds, and other useful information while storing parsed loot and (optionally) entire collected sample

Motivation

Because image

sempervictus avatar Jun 08 '24 15:06 sempervictus

Looks like @xaitax already pretty much did that? https://x.com/xaitax/status/1799140614241501550

Marshall-Hallenbeck avatar Jun 08 '24 21:06 Marshall-Hallenbeck

I will check what's required in terms of changes or if feasible at all on the 18th. 👍🏻 No point adding it now anymore.

xaitax avatar Jun 08 '24 21:06 xaitax

This sounds cool; Is it a useful module still with the recent news? 👀

adfoster-r7 avatar Jun 17 '24 14:06 adfoster-r7

Hi @adfoster-r7

This sounds cool; Is it a useful module still with the recent news? 👀

I have the new CoPilot+ laptop and once they roll Recall out in the Insider channel I will work on version 2 of my TotalRecall script as well as adjusting my MSF module (as shown above).

Cheers, Alex

xaitax avatar Jun 19 '24 08:06 xaitax