Script to run to assess potentially exposed credentials on Windows in the case of a malware event or suspected credential theft attack on a system
Script will pull information related to:
- Terminal Services Logins
- Scheduled Task Stored Credentials
- Services Running with Stored Credentials
- Currently Running Processes running under user accounts
- All User Logon Events by Logon Event Type (2,4,5,8,9,10, * 11 LogonTypes)
- Cached Credentials (CMDKEY /LIST Output)
- Credentials stored in Browsers (Chrome, Edge, Firefox, Brave, Vivaldi, Opera, OperaGX)
#Requirements Must be run as local administrator
#Artifacts This script does SOME writing to the local disk - things to be aware of:
- May create a folder c:\Temp if it does not already exist
- Writes temporary .SQL files with random names into the C:\Temp directory (should also delete them)
- Writes output of script to a Full Path Directory of your choosing