diff --git a/build_lists/sensitive_files.yaml b/build_lists/sensitive_files.yaml index c6dafba..a05660d 100644 --- a/build_lists/sensitive_files.yaml +++ b/build_lists/sensitive_files.yaml @@ -139,12 +139,6 @@ search: type: d search_in: - /etc - - ? "system.d" - : - type: d - search_in: - - /etc MySQL: config: @@ -1661,7 +1655,7 @@ search: search_in: - common - Windows Files: + Windows_Files: config: auto_check: True diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 18b3968..c69d482 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -69,6 +69,7 @@ namespace winPEAS.Checks PrintLSAProtection, PrintCredentialGuard, PrintCachedCreds, + PrintRegistryCreds, PrintAVInfo, PrintWindowsDefenderInfo, PrintUACInfo, @@ -1106,5 +1107,45 @@ namespace winPEAS.Checks { } } + + private static void PrintRegistryCreds() + { + try + { + Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)"); + string currentPass = "CurrentPass"; + var hive = "HKLM"; + var path = "System"; + var controlSet = "ControlSet"; + + var colors = new Dictionary + { + { currentPass, Beaprint.ansi_color_bad } + }; + + var subkeys = RegistryHelper.GetRegSubkeys(hive, path); + + foreach (var subkey in subkeys.Where(i => i.Contains(controlSet))) + { + try + { + var subPath = @$"{path}\{subkey}\Control"; + var key = $@"{hive}\{subPath}\{currentPass}"; + var value = RegistryHelper.GetRegValue(hive, subPath, currentPass); + + if (!string.IsNullOrWhiteSpace(value)) + { + Beaprint.AnsiPrint($@" {key,-60} : {value}", colors); + } + } + catch (Exception) + { + } + } + } + catch (Exception ex) + { + } + } } }