From 1b2968c718b483c5cb405d61ed03b68658b5ae0b Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 18:58:43 +0000 Subject: [PATCH 1/7] Winscp Session registry key extraction module Module to extract WinScp sessions registry key to be decrypted with https://github.com/XMCyber/XMCredentialsDecryptor --- Modules/Apps/WinSCP_Session.mkape | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 Modules/Apps/WinSCP_Session.mkape diff --git a/Modules/Apps/WinSCP_Session.mkape b/Modules/Apps/WinSCP_Session.mkape new file mode 100644 index 000000000..477dcc164 --- /dev/null +++ b/Modules/Apps/WinSCP_Session.mkape @@ -0,0 +1,17 @@ +Description: Module to extract a copy of WinSCP encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: e00dac99-3a59-4c59-911c-95eda1769250 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" %destinationDirectory%\winscp2_sessions_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor + + From b3af77ec68c77bb354a6d9bd643e75fdc984ac30 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:04:36 +0000 Subject: [PATCH 2/7] Update WinSCP_Session.mkape --- Modules/Apps/WinSCP_Session.mkape | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Modules/Apps/WinSCP_Session.mkape b/Modules/Apps/WinSCP_Session.mkape index 477dcc164..6629e04af 100644 --- a/Modules/Apps/WinSCP_Session.mkape +++ b/Modules/Apps/WinSCP_Session.mkape @@ -1,4 +1,4 @@ -Description: Module to extract a copy of WinSCP encrypted credentials +Description: Module to extract a copy of WinSCP encrypted credentials Category: Live Response Author: Vito Alfano Version: 1.0 @@ -13,5 +13,3 @@ Processors: # Documentation # https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ # https://github.com/XMCyber/XMCredentialsDecryptor - - From bd5669709c6f177002185b18f999be71449aaf9c Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:06:46 +0000 Subject: [PATCH 3/7] Module to extract MobaXterm Master Password Module to extract MobaXterm Master Password to be decrypted with https://github.com/XMCyber/XMCredentialsDecryptor --- Modules/Apps/MobaXterm_Master_Pass.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Master_Pass.mkape diff --git a/Modules/Apps/MobaXterm_Master_Pass.mkape b/Modules/Apps/MobaXterm_Master_Pass.mkape new file mode 100644 index 000000000..002721495 --- /dev/null +++ b/Modules/Apps/MobaXterm_Master_Pass.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted master password +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 4ca41e3e-918e-419f-b7cf-22a8cdb1da0f +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\M" %destinationDirectory%\Mobaterm_MasterPass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From 4ec6ad387a73a7240b331609312da08b728b7f21 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:08:06 +0000 Subject: [PATCH 4/7] Update MobaXterm_Master_Pass.mkape Fixed Typo error --- Modules/Apps/MobaXterm_Master_Pass.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/MobaXterm_Master_Pass.mkape b/Modules/Apps/MobaXterm_Master_Pass.mkape index 002721495..95e8a4af4 100644 --- a/Modules/Apps/MobaXterm_Master_Pass.mkape +++ b/Modules/Apps/MobaXterm_Master_Pass.mkape @@ -1,4 +1,4 @@ -Description: Module to extract a copy of MobaXterm encrypted master password +Description: Module to extract a copy of MobaXterm encrypted master password Category: Live Response Author: Vito Alfano Version: 1.0 From 627e86b57aa34bfc88b1a7fd792039c796c7ceef Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:15:33 +0000 Subject: [PATCH 5/7] Module MobaXTerm Password Extraction --- Modules/Apps/MobaXterm_Passwords_key.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Passwords_key.mkape diff --git a/Modules/Apps/MobaXterm_Passwords_key.mkape b/Modules/Apps/MobaXterm_Passwords_key.mkape new file mode 100644 index 000000000..43e39b0b3 --- /dev/null +++ b/Modules/Apps/MobaXterm_Passwords_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted passwords +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: a7473175-e108-4b93-81cb-49c6e7d37ff9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\Mobaterm_Pass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From a969752598bf692532cb419e6d0f21df8694185d Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:17:11 +0000 Subject: [PATCH 6/7] Module MobaXTerm Credentials Extraction --- Modules/Apps/MobaXterm_Credentials_key.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Credentials_key.mkape diff --git a/Modules/Apps/MobaXterm_Credentials_key.mkape b/Modules/Apps/MobaXterm_Credentials_key.mkape new file mode 100644 index 000000000..930d8fa11 --- /dev/null +++ b/Modules/Apps/MobaXterm_Credentials_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 1dc46684-fee1-40ab-9a25-216ec41df4a9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\C" %destinationDirectory%\MobaXterm_Credentials_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From 20c2ef24f3506b519cc7f97002d40fdd156359e1 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:18:08 +0000 Subject: [PATCH 7/7] Update MobaXterm_Passwords_key.mkape Fix Typo Error --- Modules/Apps/MobaXterm_Passwords_key.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/MobaXterm_Passwords_key.mkape b/Modules/Apps/MobaXterm_Passwords_key.mkape index 43e39b0b3..22c7ccfe7 100644 --- a/Modules/Apps/MobaXterm_Passwords_key.mkape +++ b/Modules/Apps/MobaXterm_Passwords_key.mkape @@ -7,7 +7,7 @@ ExportFormat: txt Processors: - Executable: C:\Windows\System32\cmd.exe - CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\Mobaterm_Pass_key.txt + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\MobaXterm_Pass_key.txt ExportFormat: txt # Documentation