Created
April 21, 2022 21:31
-
-
Save TartarusLabs/06abcaeae7cce01552243a437917e6be to your computer and use it in GitHub Desktop.
Living off the Land method for logging keystrokes and taking screenshots using Problem Steps Recorder built-in Windows utility psr.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows workstations have a built-in utility called Problem Steps Recorder that can be used covertly by penetration testers to record keystrokes and screenshots of user activity. There is no risk of AV flagging this since it is a signed Microsoft binary. | |
| To start logging the user's activity: | |
| psr.exe /start /gui 0 /output C:\Users\user\AppData\Local\log.zip | |
| To stop logging: | |
| psr.exe /stop | |
| Once the process is stopped, the zip file will be created. | |
| The zip will contain a single MHTML Web Archive with filename in the format of Recording_YYYYMMDD_HHmm.mht | |
| Opening this file in a web browser will reveal a detailed log of all user activity for as long as PSR was running, including screenshots and keystrokes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment