Skip to content

Commit

Permalink
Merge branch 'master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
AndrewRathbun authored Sep 27, 2024
2 parents ad5aded + 322839d commit 8528f58
Show file tree
Hide file tree
Showing 134 changed files with 1,982 additions and 133 deletions.
15 changes: 12 additions & 3 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ jobs:
lintAllTheThings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3
- uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install yamllint
run: pip install yamllint
- name: Run yamllint on Targets
run: yamllint Targets/**/*.tkape
- name: Run yamllint on Modules
run: yamllint Modules/**/*.mkape

18 changes: 18 additions & 0 deletions Modules/Apps/GitHub/Ese2csv_SRUM.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Description: 'Ese2csv: Parsing SRUM Database'
Category: SRUMDatabase
Author: Max Ye
Version: 1.0
Id: 852b64c1-fd0e-47ec-8aa4-0994dbf5d8d1
BinaryUrl: https://github.com/MarkBaggett/ese-analyst/archive/master.zip
ExportFormat: csv
Processors:
-
Executable: ese-analyst\ese2csv.exe
CommandLine: -o %destinationDirectory% -p srudb_plugin --plugin-args "%sourceDirectory%\Windows\System32\config\SOFTWARE" -- "%sourceDirectory%\Windows\System32\sru\SRUDB.dat"
ExportFormat: csv

# Documentation
# https://github.com/MarkBaggett/ese-analyst
# Create a folder "ese-analyst" within the ".\KAPE\Modules\bin" folder
# Place both files "ese2csv.exe" and "srudb_plugin.py" into ".\KAPE\Modules\bin\ese-analyst"
# When using this Module, the Module source should be set to OS drive root directory (e.g. C:\), because parameters use absolute paths
4 changes: 2 additions & 2 deletions Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Description: Hayabusa a timeline generator for Windows event logs - Live
Category: EventLogs
Author: Georg Lauenstein (sure[secure])
Version: 1.4
Version: 1.5
Id: 9696412c-c973-4fd4-a426-06318011b8ba
BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases
ExportFormat: csv
Processors:
-
Executable: hayabusa\hayabusa.exe
CommandLine: csv-timeline --live-analysis --profile standard --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv
CommandLine: csv-timeline --live-analysis --profile standard -w --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv
ExportFormat: csv

# Documentation
Expand Down
4 changes: 2 additions & 2 deletions Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Description: Hayabusa a timeline generator for Windows event logs - Offline
Category: EventLogs
Author: Georg Lauenstein (sure[secure])
Version: 1.3
Version: 1.4
Id: 49f9cd2d-3da5-4349-a9aa-c2b450582ccc
BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases
ExportFormat: csv
Processors:
-
Executable: hayabusa\hayabusa.exe
CommandLine: csv-timeline -d %sourceDirectory% --profile standard --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv
CommandLine: csv-timeline -d %sourceDirectory% --profile standard -w --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv
ExportFormat: csv

# Documentation
Expand Down
21 changes: 21 additions & 0 deletions Modules/Apps/GitHub/Mplog-Parser.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Description: 'Mplog-Parser: parses Microsoft Protection log files into CSV files'
Category: Antivirus
Author: Thomas DIOT (Qazeer)
Version: 1.0
Id: 6084c8ab-2059-41a4-89f4-dba2cfdb4bb4
BinaryUrl: https://github.com/Qazeer/mplog_parser-compiled/releases/download/v1.0/mplog_parser.exe
ExportFormat: csv
Processors:
-
Executable: mplog_parser.exe
CommandLine: -d "%SourceDirectory%\ProgramData\Microsoft\Windows Defender\Support" -o "%destinationDirectory%"
ExportFormat: csv

# Documentation
# Mplog-Parser parses Microsoft Protection log files into a number of CSV files.
# mplog_parser source: https://github.com/Intrinsec/mplog_parser
# Compiled version: https://github.com/Qazeer/mplog_parser-compiled
# Information on Windows Defender MPLog:
# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/
# https://www.intrinsec.com/hunt-mplogs/
# https://artefacts.help/windows_defender_support_logs.html
2 changes: 1 addition & 1 deletion Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
ExportFormat: xlsx
-
Executable: hindsight.exe
CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f json
CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f jsonl
ExportFormat: json

# Documentation
Expand Down
24 changes: 24 additions & 0 deletions Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.
Category: GitHub
Author: Tristan PINCEAUX - CERT CWATCH - ALMOND
Version: 1.0
Id: 6666cc62-821f-4b13-b13a-03c768b40f71
BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1
ExportFormat: csv
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% "
ExportFormat: csv

# Documentation
# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency).
# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities...
# You need to run this script on a live domain controller.
# This script will generate four files:
# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved.
# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain.
# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP.
# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog.
# https://github.com/ANSSI-FR/ADTimeline
# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf
20 changes: 20 additions & 0 deletions Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
Description: Execute-UsnJrnlRewind.ps1 - Execute usnjrnl_rewind.exe on MFT and UsnJrnl CSV from MFTEcmd to "rewind" the UsnJrnl and add their full path to UsnJrnl entries. Works on the module destination directory.
Category: FileSystem
Author: CyberCX-DFIR, Thomas DIOT (Qazeer)
Version: 1.0
Id: 82db8f91-7131-4c8e-a2d6-48cb52336ff9
BinaryUrl: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0
ExportFormat: CSV
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: "& '%kapeDirectory%\\Modules\\bin\\Execute-UsnJrnlRewind.ps1' -UsnJrnlRewindBinary '%kapeDirectory%\\Modules\\bin\\usnjrnl_rewind.exe' -InputDir '%destinationDirectory%' -OutputDir '%destinationDirectory%'"
ExportFormat: CSV

# Documentation
# Process the module destinationDirectory\Filesystem folder to rewind the UsnJrnl following an execution of the MFTEcmd_$MFT and MFTEcmd_$J KAPE modules.
# Execute-UsnJrnlRewind.ps1 is a simple wrapper to usnjrnl_rewind.exe that finds and executes usnjrnl_rewind.exe on MFT and UsnJrnl CSV found in the specified folder.
# CyberCX NTFS Usnjrnl Rewind: https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/
# Original usnjrnl_rewind.py: https://github.com/CyberCX-DFIR/usnjrnl_rewind
# Execute-UsnJrnlRewind.ps1 wrapper: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0
# usnjrnl_rewind.exe (https://github.com/Qazeer/usnjrnl_rewind_compiled/releases) must be placed under "%kapeDirectory%\Modules\bin\usnjrnl_rewind.exe".
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: ChainsawSync
Author: Andrew Rathbun
Version: 1.0
Id: b3fc53a5-4f10-431d-903a-65700bf16e2f
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Get-ChainsawSigmaRules.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Get-ChainsawSigmaRules.ps1
ExportFormat: txt
Processors:
-
Expand Down
2 changes: 1 addition & 1 deletion Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: FileSystem
Author: Andrew Rathbun
Version: 1.1
Id: ac0660c3-4eb2-4dee-ad90-5ef782b94750
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/MFTECmd%24J%24MFTParser.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/MFTECmd%24J%24MFTParser.ps1
ExportFormat: csv
Processors:
-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: PowerShellHistory
Author: Andrew Rathbun and Matt Arbaugh
Version: 1.0
Id: e57584ec-0c9a-49cf-9ac5-7d42c7570fae
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Move-KAPEConsoleHost_history.ps1
ExportFormat: txt
Processors:
-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: Downloads
Author: Andrew Rathbun
Version: 1.0
Id: cb794d78-a91a-4119-95b5-3a3b844d3fbe
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Parse-MatterMostDownloadsJson.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Parse-MatterMostDownloadsJson.ps1
ExportFormat: csv
Processors:
-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: SRUM
Author: Matthew Arbaugh
Version: 1.0
Id: a03a3be0-0101-42cc-a639-484ab24e0018
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SRUM-Repair.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SRUM-Repair.ps1
ExportFormat: csv
Processors:
-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: SUM
Author: Matthew Arbaugh
Version: 1.0
Id: 92cc0f6c-4e41-4b1f-b250-4b016724f1c8
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SUM-Repair.ps1
BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SUM-Repair.ps1
ExportFormat: csv
Processors:
-
Expand Down
8 changes: 4 additions & 4 deletions Modules/Apps/GitHub/SRUMDump.mkape
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Description: 'SRUM-dump: Dump contents of the SRUM database'
Category: SystemActivity
Author: Brian Maloney, Jay Houlden, Vito Alfano
Version: 1.2
Version: 1.3
Id: 74ee622c-2fb2-11ee-be56-0242ac120002
BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.5/srum_dump2.exe
BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.6/srum_dump2.6.exe
ExportFormat: xlsx
Processors:
-
Executable: srum_dump2.exe
CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\sdrum_dump_result.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet
Executable: srum_dump.exe
CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\srum_dump_result.xlsx --XLSX_TEMPLATE SRUM_TEMPLATE3.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet
ExportFormat: xlsx

# Documentation
Expand Down
15 changes: 15 additions & 0 deletions Modules/Apps/MobaXterm_Credentials_key.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Description: Module to extract a copy of MobaXterm encrypted credentials
Category: Live Response
Author: Vito Alfano
Version: 1.0
Id: 1dc46684-fee1-40ab-9a25-216ec41df4a9
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\cmd.exe
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\C" %destinationDirectory%\MobaXterm_Credentials_key.txt
ExportFormat: txt

# Documentation
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
# https://github.com/XMCyber/XMCredentialsDecryptor
15 changes: 15 additions & 0 deletions Modules/Apps/MobaXterm_Master_Pass.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Description: Module to extract a copy of MobaXterm encrypted master password
Category: Live Response
Author: Vito Alfano
Version: 1.0
Id: 4ca41e3e-918e-419f-b7cf-22a8cdb1da0f
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\cmd.exe
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\M" %destinationDirectory%\Mobaterm_MasterPass_key.txt
ExportFormat: txt

# Documentation
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
# https://github.com/XMCyber/XMCredentialsDecryptor
15 changes: 15 additions & 0 deletions Modules/Apps/MobaXterm_Passwords_key.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Description: Module to extract a copy of MobaXterm encrypted passwords
Category: Live Response
Author: Vito Alfano
Version: 1.0
Id: a7473175-e108-4b93-81cb-49c6e7d37ff9
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\cmd.exe
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\MobaXterm_Pass_key.txt
ExportFormat: txt

# Documentation
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
# https://github.com/XMCyber/XMCredentialsDecryptor
2 changes: 1 addition & 1 deletion Modules/Apps/NTFSLogTracker_$J.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: FileSystem
Author: Hyun Yi @hyuunnn and Vito Alfano
Version: 1.1
Id: 74ee5d04-2fb2-11ee-be56-0242ac120002
BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web
BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
ExportFormat: sqlite3
FileMask: $J
Processors:
Expand Down
8 changes: 4 additions & 4 deletions Modules/Apps/NTFSLogTracker_$LogFile.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,17 @@ Category: FileSystem
Author: Hyun Yi @hyuunnn and Vito Alfano
Version: 1.1
Id: 74ee60a6-2fb2-11ee-be56-0242ac120002
BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web
BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
ExportFormat: sqlite3
FileMask: $J
FileMask: $LogFile
Processors:
-
Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe
CommandLine: -u %sourceFile% -o %destinationDirectory%
CommandLine: -l %sourceFile% -o %destinationDirectory%
ExportFormat: sqlite3
-
Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe
CommandLine: -u %sourceFile% -o %destinationDirectory% -c
CommandLine: -l %sourceFile% -o %destinationDirectory% -c
ExportFormat: csv

# Documentation
Expand Down
6 changes: 3 additions & 3 deletions Modules/Apps/SysInternals/SysInternals_Autoruns.mkape
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Description: Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
Category: LiveResponse
Category: Persistence
Author: Andy Furnas, Encoding updates by piesecurity, Andreas Hunkeler (@Karneades)
Version: 1.4
Version: 1.5
Id: c95e71bd-7abb-48c3-abae-f48b9ff19dec
BinaryUrl: https://download.sysinternals.com/files/Autoruns.zip
ExportFormat: csv
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Path '%destinationDirectory%\autoruns.csv'"
CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Encoding UTF8 -Path '%destinationDirectory%\Autoruns.csv'"
ExportFormat: csv

# Documentation
Expand Down
15 changes: 15 additions & 0 deletions Modules/Apps/WinSCP_Session.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Description: Module to extract a copy of WinSCP encrypted credentials
Category: Live Response
Author: Vito Alfano
Version: 1.0
Id: e00dac99-3a59-4c59-911c-95eda1769250
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\cmd.exe
CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" %destinationDirectory%\winscp2_sessions_key.txt
ExportFormat: txt

# Documentation
# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/
# https://github.com/XMCyber/XMCredentialsDecryptor
16 changes: 16 additions & 0 deletions Modules/Apps/block-parser-zipped.mkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
Description: Block Parser Zipped
Category: EventLogs
Author: Phill Moore, Reece394
Version: 1.1
Id: cb817a29-bab0-4051-ac7d-7019d6e2ac65
BinaryUrl: https://github.com/randomaccess3/block-parser
FileMask: "Microsoft-Windows-PowerShell%4Operational.evtx"
ExportFormat: zip
Processors:
-
Executable: block-parser.exe
CommandLine: -o %destinationDirectory% -z %sourceFile%
ExportFormat: zip

# Documentation
# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
4 changes: 2 additions & 2 deletions Modules/Compound/!EZParser.mkape
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Description: Eric Zimmerman Parsers
Category: Modules
Author: Phill Moore
Version: 1.4
Version: 1.5
Id: f531e7cc-c9f3-4d04-881b-dbc89d1e7f38
BinaryUrl: https://ericzimmerman.github.io/
ExportFormat: csv
Expand Down Expand Up @@ -43,7 +43,7 @@ Processors:
CommandLine: ""
ExportFormat: ""
-
Executable: RECmd_Kroll.mkape
Executable: RECmd_DFIRBatch.mkape
CommandLine: ""
ExportFormat: ""
-
Expand Down
2 changes: 1 addition & 1 deletion Modules/Compound/NTFSLogTracker.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: FileSystem
Author: Hyun Yi @hyuunnn
Version: 1.0
Id: 094e8964-ea15-4be1-869d-7b8fa1b55ada
BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/NTFS Log Tracker v1.6 CMD.zip
BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
ExportFormat: sqlite3
Processors:
-
Expand Down
Loading

0 comments on commit 8528f58

Please sign in to comment.