You are browsing the archive for Forensic Analysis.

Updated 3R (RegRipper Ripper) (RR v3.0)

May 29, 2020 in 3R, Forensic Analysis, Software Releases

Another 2 years passed since last update of the 3R and since there is a new release of Regripper this week (https://github.com/keydet89/RegRipper3.0) it was a good opportunity to revisit it.

The update this time was a bit tricky — since the snapshots (2.8 vs. 3.0) differ a lot, I decided to get 2.8 as a base, and then add/overwrite changes from v3.0.

And last, but not least – remember of 3RPG tool!

Flash Player & Background updates from an internal server via mms.cfg

May 13, 2020 in Autostart (Persistence), Forensic Analysis, Living off the land, LOLBins, Random ideas

This is just a note to reference what I posted on Twitter earlier today.

According to Flash Player Admin Guide (‘Background updates from an internal server’ section), you can create a mms.cfg file with the following content:

AutoUpdateDisable=0 
SilentAutoUpdateEnable=1
SilentAutoUpdateServerDomain=<your serv>

Once installed, Flash will be updating from the server provided in the config. It could be a lolbin/persistence/covert channel opportunity. I have not tested it. Also, note that Flash is dying, so this is probably not that important.

In any case though, if you spot mmc.cfg file you may want to inspect it. Procmon tells me that these are possible locations:

  • C:\Windows\System32\mms.cfg
  • C:\Windows\SysWOW64\mms.cfg
  • C:\Windows\SysWOW64\Macromed\Flash\mms.cfg