- sensitive_files.yaml updates - removed duplicates, updated windows files key
- added registry search for CurrentPass
This commit is contained in:
makikvues
parent
15b769a298
commit
4cb1a48975
@ -140,12 +140,6 @@ search:
|
||||
search_in:
|
||||
- /etc
|
||||
|
||||
? "system.d"
|
||||
:
|
||||
type: d
|
||||
search_in:
|
||||
- /etc
|
||||
|
||||
MySQL:
|
||||
config:
|
||||
auto_check: False
|
||||
@ -1661,7 +1655,7 @@ search:
|
||||
search_in:
|
||||
- common
|
||||
|
||||
Windows Files:
|
||||
Windows_Files:
|
||||
config:
|
||||
auto_check: True
|
||||
|
||||
|
||||
@ -69,6 +69,7 @@ namespace winPEAS.Checks
|
||||
PrintLSAProtection,
|
||||
PrintCredentialGuard,
|
||||
PrintCachedCreds,
|
||||
PrintRegistryCreds,
|
||||
PrintAVInfo,
|
||||
PrintWindowsDefenderInfo,
|
||||
PrintUACInfo,
|
||||
@ -1106,5 +1107,45 @@ namespace winPEAS.Checks
|
||||
{
|
||||
}
|
||||
}
|
||||
|
||||
private static void PrintRegistryCreds()
|
||||
{
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)");
|
||||
string currentPass = "CurrentPass";
|
||||
var hive = "HKLM";
|
||||
var path = "System";
|
||||
var controlSet = "ControlSet";
|
||||
|
||||
var colors = new Dictionary<string, string>
|
||||
{
|
||||
{ currentPass, Beaprint.ansi_color_bad }
|
||||
};
|
||||
|
||||
var subkeys = RegistryHelper.GetRegSubkeys(hive, path);
|
||||
|
||||
foreach (var subkey in subkeys.Where(i => i.Contains(controlSet)))
|
||||
{
|
||||
try
|
||||
{
|
||||
var subPath = @$"{path}\{subkey}\Control";
|
||||
var key = $@"{hive}\{subPath}\{currentPass}";
|
||||
var value = RegistryHelper.GetRegValue(hive, subPath, currentPass);
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(value))
|
||||
{
|
||||
Beaprint.AnsiPrint($@" {key,-60} : {value}", colors);
|
||||
}
|
||||
}
|
||||
catch (Exception)
|
||||
{
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user