Windows Gather Enum User MUICache metasploit module

This module gathers information about the files and file paths that logged on users have executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the module is executed it will collect the MUICache entries by accessing the registry directly. If the user is not logged in the module will download users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are parsed from the downloaded hive.

Module : post/windows/gather/enum_muicache

msf > use post/windows/gather/enum_muicache 
msf post(enum_muicache) > sessions
…sessions…
msf post(enum_muicache) > set SESSION <session-id>
msf post(enum_muicache) > show options
…show and set options…
msf post(enum_muicache) > run

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s