-
Notifications
You must be signed in to change notification settings - Fork 197
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
134 changed files
with
1,982 additions
and
133 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
Description: 'Ese2csv: Parsing SRUM Database' | ||
Category: SRUMDatabase | ||
Author: Max Ye | ||
Version: 1.0 | ||
Id: 852b64c1-fd0e-47ec-8aa4-0994dbf5d8d1 | ||
BinaryUrl: https://github.com/MarkBaggett/ese-analyst/archive/master.zip | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: ese-analyst\ese2csv.exe | ||
CommandLine: -o %destinationDirectory% -p srudb_plugin --plugin-args "%sourceDirectory%\Windows\System32\config\SOFTWARE" -- "%sourceDirectory%\Windows\System32\sru\SRUDB.dat" | ||
ExportFormat: csv | ||
|
||
# Documentation | ||
# https://github.com/MarkBaggett/ese-analyst | ||
# Create a folder "ese-analyst" within the ".\KAPE\Modules\bin" folder | ||
# Place both files "ese2csv.exe" and "srudb_plugin.py" into ".\KAPE\Modules\bin\ese-analyst" | ||
# When using this Module, the Module source should be set to OS drive root directory (e.g. C:\), because parameters use absolute paths |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
Description: 'Mplog-Parser: parses Microsoft Protection log files into CSV files' | ||
Category: Antivirus | ||
Author: Thomas DIOT (Qazeer) | ||
Version: 1.0 | ||
Id: 6084c8ab-2059-41a4-89f4-dba2cfdb4bb4 | ||
BinaryUrl: https://github.com/Qazeer/mplog_parser-compiled/releases/download/v1.0/mplog_parser.exe | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: mplog_parser.exe | ||
CommandLine: -d "%SourceDirectory%\ProgramData\Microsoft\Windows Defender\Support" -o "%destinationDirectory%" | ||
ExportFormat: csv | ||
|
||
# Documentation | ||
# Mplog-Parser parses Microsoft Protection log files into a number of CSV files. | ||
# mplog_parser source: https://github.com/Intrinsec/mplog_parser | ||
# Compiled version: https://github.com/Qazeer/mplog_parser-compiled | ||
# Information on Windows Defender MPLog: | ||
# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/ | ||
# https://www.intrinsec.com/hunt-mplogs/ | ||
# https://artefacts.help/windows_defender_support_logs.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. | ||
Category: GitHub | ||
Author: Tristan PINCEAUX - CERT CWATCH - ALMOND | ||
Version: 1.0 | ||
Id: 6666cc62-821f-4b13-b13a-03c768b40f71 | ||
BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 | ||
ExportFormat: csv | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " | ||
ExportFormat: csv | ||
|
||
# Documentation | ||
# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency). | ||
# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... | ||
# You need to run this script on a live domain controller. | ||
# This script will generate four files: | ||
# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. | ||
# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. | ||
# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. | ||
# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. | ||
# https://github.com/ANSSI-FR/ADTimeline | ||
# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf |
20 changes: 20 additions & 0 deletions
20
Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
Description: Execute-UsnJrnlRewind.ps1 - Execute usnjrnl_rewind.exe on MFT and UsnJrnl CSV from MFTEcmd to "rewind" the UsnJrnl and add their full path to UsnJrnl entries. Works on the module destination directory. | ||
Category: FileSystem | ||
Author: CyberCX-DFIR, Thomas DIOT (Qazeer) | ||
Version: 1.0 | ||
Id: 82db8f91-7131-4c8e-a2d6-48cb52336ff9 | ||
BinaryUrl: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 | ||
ExportFormat: CSV | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | ||
CommandLine: "& '%kapeDirectory%\\Modules\\bin\\Execute-UsnJrnlRewind.ps1' -UsnJrnlRewindBinary '%kapeDirectory%\\Modules\\bin\\usnjrnl_rewind.exe' -InputDir '%destinationDirectory%' -OutputDir '%destinationDirectory%'" | ||
ExportFormat: CSV | ||
|
||
# Documentation | ||
# Process the module destinationDirectory\Filesystem folder to rewind the UsnJrnl following an execution of the MFTEcmd_$MFT and MFTEcmd_$J KAPE modules. | ||
# Execute-UsnJrnlRewind.ps1 is a simple wrapper to usnjrnl_rewind.exe that finds and executes usnjrnl_rewind.exe on MFT and UsnJrnl CSV found in the specified folder. | ||
# CyberCX NTFS Usnjrnl Rewind: https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/ | ||
# Original usnjrnl_rewind.py: https://github.com/CyberCX-DFIR/usnjrnl_rewind | ||
# Execute-UsnJrnlRewind.ps1 wrapper: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 | ||
# usnjrnl_rewind.exe (https://github.com/Qazeer/usnjrnl_rewind_compiled/releases) must be placed under "%kapeDirectory%\Modules\bin\usnjrnl_rewind.exe". |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Description: Module to extract a copy of MobaXterm encrypted credentials | ||
Category: Live Response | ||
Author: Vito Alfano | ||
Version: 1.0 | ||
Id: 1dc46684-fee1-40ab-9a25-216ec41df4a9 | ||
ExportFormat: txt | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\cmd.exe | ||
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\C" %destinationDirectory%\MobaXterm_Credentials_key.txt | ||
ExportFormat: txt | ||
|
||
# Documentation | ||
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ | ||
# https://github.com/XMCyber/XMCredentialsDecryptor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Description: Module to extract a copy of MobaXterm encrypted master password | ||
Category: Live Response | ||
Author: Vito Alfano | ||
Version: 1.0 | ||
Id: 4ca41e3e-918e-419f-b7cf-22a8cdb1da0f | ||
ExportFormat: txt | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\cmd.exe | ||
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\M" %destinationDirectory%\Mobaterm_MasterPass_key.txt | ||
ExportFormat: txt | ||
|
||
# Documentation | ||
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ | ||
# https://github.com/XMCyber/XMCredentialsDecryptor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Description: Module to extract a copy of MobaXterm encrypted passwords | ||
Category: Live Response | ||
Author: Vito Alfano | ||
Version: 1.0 | ||
Id: a7473175-e108-4b93-81cb-49c6e7d37ff9 | ||
ExportFormat: txt | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\cmd.exe | ||
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\MobaXterm_Pass_key.txt | ||
ExportFormat: txt | ||
|
||
# Documentation | ||
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ | ||
# https://github.com/XMCyber/XMCredentialsDecryptor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Description: Module to extract a copy of WinSCP encrypted credentials | ||
Category: Live Response | ||
Author: Vito Alfano | ||
Version: 1.0 | ||
Id: e00dac99-3a59-4c59-911c-95eda1769250 | ||
ExportFormat: txt | ||
Processors: | ||
- | ||
Executable: C:\Windows\System32\cmd.exe | ||
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" %destinationDirectory%\winscp2_sessions_key.txt | ||
ExportFormat: txt | ||
|
||
# Documentation | ||
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ | ||
# https://github.com/XMCyber/XMCredentialsDecryptor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
Description: Block Parser Zipped | ||
Category: EventLogs | ||
Author: Phill Moore, Reece394 | ||
Version: 1.1 | ||
Id: cb817a29-bab0-4051-ac7d-7019d6e2ac65 | ||
BinaryUrl: https://github.com/randomaccess3/block-parser | ||
FileMask: "Microsoft-Windows-PowerShell%4Operational.evtx" | ||
ExportFormat: zip | ||
Processors: | ||
- | ||
Executable: block-parser.exe | ||
CommandLine: -o %destinationDirectory% -z %sourceFile% | ||
ExportFormat: zip | ||
|
||
# Documentation | ||
# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.