Via securityaegis and seen in Twitter .

Shellbags are a set of registry keys that store the preferences of each folder that has been opened at l east one time with Windows Explorer (local,remote, portable devices, etc.).

From a Post Exploitat ion point of view, this information offers us a good idea of the activities being carried in the exploited deskt op computer. Thus, we can figure out how critical the computer and the the information it holds are for our cost umer.

The linked post comments that, during a big engagement, we may pop up a shell in a computer tha t belongs to HR, R&D, etc..  but, at first sight, we could not distinguish how important it is compared to several other similar desktops among the organization.

Below you can find a demo of the meterpret er script in action.

Shellbag from Securityae gis on Vimeo