From 022668bd499290a0bdaabfc6196a77f9a11c0f8f Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 3 Oct 2022 22:05:12 +0000 Subject: [PATCH] GitBook: [#3546] No subject --- .../browser-artifacts.md | 3 ++- .../README.md | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 20a8aeb16..15f383a79 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -36,9 +36,10 @@ Let us take a look at the most common artifacts stored by browsers. * **Logins:** Self Explanatory. * **Favicons:** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited. * **Browser Sessions:** Self Explanatory. -* \*\*Downloads:\*\*Self Explanatory. +* **Downloads**: Self Explanatory. * **Form Data:** Anything typed inside forms is oftentimes stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data. * **Thumbnails:** Self Explanatory. +* **Custom Dictionary.txt**: Words added to the dictionary by the user. ## Firefox diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index feafbd801..32e38d4f3 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -919,6 +919,23 @@ You can **extract many DPAPI** **masterkeys** from **memory** with the `sekurlsa [dpapi-extracting-passwords.md](dpapi-extracting-passwords.md) {% endcontent-ref %} +### PowerShell Credentials + +**PowerShell credentials** are often used for **scripting** and automation tasks as a way to store encrypted credentials conveniently. The credentials are protected using **DPAPI**, which typically means they can only be decrypted by the same user on the same computer they were created on. + +To **decrypt** a PS credentials from the file containing it you can do: + +``` +PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml' +PS C:\> $credential.GetNetworkCredential().username + +john + +PS C:\htb> $credential.GetNetworkCredential().password + +JustAPWD! +``` + ### Wifi ```bash @@ -951,6 +968,10 @@ HKCU\\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Use the **Mimikatz** `dpapi::rdg` module with appropriate `/masterkey` to **decrypt any .rdg files**\ You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module +### Sticky Notes + +People often use the StickyNotes app on Windows workstations to **save passwords** and other information, not realizing it is a database file. This file is located at `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` and is always worth searching for and examining. + ### AppCmd.exe **Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.**\