Add Recall module for dumping all users Microsoft Recall DBs & screenshots #335
Conversation
Marshall-Hallenbeck
requested review from
zblurx,
NeffIsBack and
mpgn
as code owners
|
Nice one 👍 |
|
kek |
|
Pardon my ignorance, what are you showing in the screenshot exactly? Is that a DomainAdmin account (Recall) authenticating to a box on the network he runs collecting the recall databases of users on that system? Assuming I’ve understood this correctly this feels very misleading as domain admin has full control if your domain admin is spying on you (there’s better ways to do it) instead of pushing out GPO disabling recall, you’ve got bigger problems. Edit: @Marshall-Hallenbeck just want to be clear, netexec is a clutch util that I love. Maybe a recall feature is apt here. I’ve just been skeptical about the risks posed by recall which led me to your screenshots being passed around on twitter with some ridiculous claims attached. That’s why I ask. |
|
@bsmartt13 In this instance it's just a standalone VM in Azure, so no domain. It's a local admin to the box, but being an admin isn't even necessary apparently, since you can This may be irrelevant now that Microsoft has announced some new updates, but we'll have to see how it works in practice. |
Signed-off-by: Marshall Hallenbeck <[email protected]>
I cherry-picked the download_folder functionality from #320 and then improved it due to STATUS_SHARING_VIOLATION which occurs when a file has a handle by another process open with READ|WRITE (by default we attempt to get the file with only READ).
Screenshots:
Silent run:
Loud run:
Showing downloaded screenshots: