diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 82eaf36b1f..bd4666f4ac 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -4,6 +4,15 @@ jobs: lintAllTheThings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - name: yaml-lint - uses: ibiqlik/action-yamllint@v3 + - uses: actions/checkout@v4 + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + - name: Install yamllint + run: pip install yamllint + - name: Run yamllint on Targets + run: yamllint Targets/**/*.tkape + - name: Run yamllint on Modules + run: yamllint Modules/**/*.mkape + diff --git a/Modules/Apps/GitHub/Ese2csv_SRUM.mkape b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape new file mode 100755 index 0000000000..55398a24eb --- /dev/null +++ b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape @@ -0,0 +1,18 @@ +Description: 'Ese2csv: Parsing SRUM Database' +Category: SRUMDatabase +Author: Max Ye +Version: 1.0 +Id: 852b64c1-fd0e-47ec-8aa4-0994dbf5d8d1 +BinaryUrl: https://github.com/MarkBaggett/ese-analyst/archive/master.zip +ExportFormat: csv +Processors: + - + Executable: ese-analyst\ese2csv.exe + CommandLine: -o %destinationDirectory% -p srudb_plugin --plugin-args "%sourceDirectory%\Windows\System32\config\SOFTWARE" -- "%sourceDirectory%\Windows\System32\sru\SRUDB.dat" + ExportFormat: csv + +# Documentation +# https://github.com/MarkBaggett/ese-analyst +# Create a folder "ese-analyst" within the ".\KAPE\Modules\bin" folder +# Place both files "ese2csv.exe" and "srudb_plugin.py" into ".\KAPE\Modules\bin\ese-analyst" +# When using this Module, the Module source should be set to OS drive root directory (e.g. C:\), because parameters use absolute paths diff --git a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape index 6c0b4abc7e..e1403027ca 100644 --- a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape +++ b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape @@ -1,14 +1,14 @@ Description: Hayabusa a timeline generator for Windows event logs - Live Category: EventLogs Author: Georg Lauenstein (sure[secure]) -Version: 1.4 +Version: 1.5 Id: 9696412c-c973-4fd4-a426-06318011b8ba BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases ExportFormat: csv Processors: - Executable: hayabusa\hayabusa.exe - CommandLine: csv-timeline --live-analysis --profile standard --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv + CommandLine: csv-timeline --live-analysis --profile standard -w --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv ExportFormat: csv # Documentation diff --git a/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape b/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape index d7dc1b5df3..d98ea53ca4 100644 --- a/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape +++ b/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape @@ -1,14 +1,14 @@ Description: Hayabusa a timeline generator for Windows event logs - Offline Category: EventLogs Author: Georg Lauenstein (sure[secure]) -Version: 1.3 +Version: 1.4 Id: 49f9cd2d-3da5-4349-a9aa-c2b450582ccc BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases ExportFormat: csv Processors: - Executable: hayabusa\hayabusa.exe - CommandLine: csv-timeline -d %sourceDirectory% --profile standard --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv + CommandLine: csv-timeline -d %sourceDirectory% --profile standard -w --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv ExportFormat: csv # Documentation diff --git a/Modules/Apps/GitHub/Mplog-Parser.mkape b/Modules/Apps/GitHub/Mplog-Parser.mkape new file mode 100644 index 0000000000..bad3401b9c --- /dev/null +++ b/Modules/Apps/GitHub/Mplog-Parser.mkape @@ -0,0 +1,21 @@ +Description: 'Mplog-Parser: parses Microsoft Protection log files into CSV files' +Category: Antivirus +Author: Thomas DIOT (Qazeer) +Version: 1.0 +Id: 6084c8ab-2059-41a4-89f4-dba2cfdb4bb4 +BinaryUrl: https://github.com/Qazeer/mplog_parser-compiled/releases/download/v1.0/mplog_parser.exe +ExportFormat: csv +Processors: + - + Executable: mplog_parser.exe + CommandLine: -d "%SourceDirectory%\ProgramData\Microsoft\Windows Defender\Support" -o "%destinationDirectory%" + ExportFormat: csv + +# Documentation +# Mplog-Parser parses Microsoft Protection log files into a number of CSV files. +# mplog_parser source: https://github.com/Intrinsec/mplog_parser +# Compiled version: https://github.com/Qazeer/mplog_parser-compiled +# Information on Windows Defender MPLog: +# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/ +# https://www.intrinsec.com/hunt-mplogs/ +# https://artefacts.help/windows_defender_support_logs.html diff --git a/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape b/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape index 041645d6c8..43f5ef87af 100644 --- a/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape +++ b/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape @@ -12,7 +12,7 @@ Processors: ExportFormat: xlsx - Executable: hindsight.exe - CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f json + CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f jsonl ExportFormat: json # Documentation diff --git a/Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape new file mode 100644 index 0000000000..9887abd075 --- /dev/null +++ b/Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape @@ -0,0 +1,24 @@ +Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. +Category: GitHub +Author: Tristan PINCEAUX - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6666cc62-821f-4b13-b13a-03c768b40f71 +BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " + ExportFormat: csv + +# Documentation +# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency). +# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... +# You need to run this script on a live domain controller. +# This script will generate four files: +# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. +# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. +# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. +# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. +# https://github.com/ANSSI-FR/ADTimeline +# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf diff --git a/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape b/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape new file mode 100644 index 0000000000..c0c8e39cc6 --- /dev/null +++ b/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape @@ -0,0 +1,20 @@ +Description: Execute-UsnJrnlRewind.ps1 - Execute usnjrnl_rewind.exe on MFT and UsnJrnl CSV from MFTEcmd to "rewind" the UsnJrnl and add their full path to UsnJrnl entries. Works on the module destination directory. +Category: FileSystem +Author: CyberCX-DFIR, Thomas DIOT (Qazeer) +Version: 1.0 +Id: 82db8f91-7131-4c8e-a2d6-48cb52336ff9 +BinaryUrl: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 +ExportFormat: CSV +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "& '%kapeDirectory%\\Modules\\bin\\Execute-UsnJrnlRewind.ps1' -UsnJrnlRewindBinary '%kapeDirectory%\\Modules\\bin\\usnjrnl_rewind.exe' -InputDir '%destinationDirectory%' -OutputDir '%destinationDirectory%'" + ExportFormat: CSV + +# Documentation +# Process the module destinationDirectory\Filesystem folder to rewind the UsnJrnl following an execution of the MFTEcmd_$MFT and MFTEcmd_$J KAPE modules. +# Execute-UsnJrnlRewind.ps1 is a simple wrapper to usnjrnl_rewind.exe that finds and executes usnjrnl_rewind.exe on MFT and UsnJrnl CSV found in the specified folder. +# CyberCX NTFS Usnjrnl Rewind: https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/ +# Original usnjrnl_rewind.py: https://github.com/CyberCX-DFIR/usnjrnl_rewind +# Execute-UsnJrnlRewind.ps1 wrapper: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 +# usnjrnl_rewind.exe (https://github.com/Qazeer/usnjrnl_rewind_compiled/releases) must be placed under "%kapeDirectory%\Modules\bin\usnjrnl_rewind.exe". diff --git a/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape b/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape index f5e5ce70db..bdd3491979 100644 --- a/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape +++ b/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape @@ -3,7 +3,7 @@ Category: ChainsawSync Author: Andrew Rathbun Version: 1.0 Id: b3fc53a5-4f10-431d-903a-65700bf16e2f -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Get-ChainsawSigmaRules.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Get-ChainsawSigmaRules.ps1 ExportFormat: txt Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape b/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape index be1d579e01..0d2f5cdb9e 100644 --- a/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape +++ b/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Andrew Rathbun Version: 1.1 Id: ac0660c3-4eb2-4dee-ad90-5ef782b94750 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/MFTECmd%24J%24MFTParser.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/MFTECmd%24J%24MFTParser.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape b/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape index edec61b378..f86cc89c43 100644 --- a/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape +++ b/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape @@ -3,7 +3,7 @@ Category: PowerShellHistory Author: Andrew Rathbun and Matt Arbaugh Version: 1.0 Id: e57584ec-0c9a-49cf-9ac5-7d42c7570fae -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Move-KAPEConsoleHost_history.ps1 ExportFormat: txt Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape b/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape index a25a8e3455..02381a11a8 100644 --- a/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape +++ b/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape @@ -3,7 +3,7 @@ Category: Downloads Author: Andrew Rathbun Version: 1.0 Id: cb794d78-a91a-4119-95b5-3a3b844d3fbe -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Parse-MatterMostDownloadsJson.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Parse-MatterMostDownloadsJson.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape b/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape index 867f7cf544..fb72bdfbcc 100644 --- a/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape +++ b/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape @@ -3,7 +3,7 @@ Category: SRUM Author: Matthew Arbaugh Version: 1.0 Id: a03a3be0-0101-42cc-a639-484ab24e0018 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SRUM-Repair.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SRUM-Repair.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape b/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape index cd45fd26a6..4546184f44 100644 --- a/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape +++ b/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape @@ -3,7 +3,7 @@ Category: SUM Author: Matthew Arbaugh Version: 1.0 Id: 92cc0f6c-4e41-4b1f-b250-4b016724f1c8 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SUM-Repair.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SUM-Repair.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/SRUMDump.mkape b/Modules/Apps/GitHub/SRUMDump.mkape index 6c4acf70bc..c234d044f4 100644 --- a/Modules/Apps/GitHub/SRUMDump.mkape +++ b/Modules/Apps/GitHub/SRUMDump.mkape @@ -1,14 +1,14 @@ Description: 'SRUM-dump: Dump contents of the SRUM database' Category: SystemActivity Author: Brian Maloney, Jay Houlden, Vito Alfano -Version: 1.2 +Version: 1.3 Id: 74ee622c-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.5/srum_dump2.exe +BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.6/srum_dump2.6.exe ExportFormat: xlsx Processors: - - Executable: srum_dump2.exe - CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\sdrum_dump_result.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet + Executable: srum_dump.exe + CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\srum_dump_result.xlsx --XLSX_TEMPLATE SRUM_TEMPLATE3.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet ExportFormat: xlsx # Documentation diff --git a/Modules/Apps/MobaXterm_Credentials_key.mkape b/Modules/Apps/MobaXterm_Credentials_key.mkape new file mode 100644 index 0000000000..930d8fa112 --- /dev/null +++ b/Modules/Apps/MobaXterm_Credentials_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 1dc46684-fee1-40ab-9a25-216ec41df4a9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\C" %destinationDirectory%\MobaXterm_Credentials_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor diff --git a/Modules/Apps/MobaXterm_Master_Pass.mkape b/Modules/Apps/MobaXterm_Master_Pass.mkape new file mode 100644 index 0000000000..95e8a4af41 --- /dev/null +++ b/Modules/Apps/MobaXterm_Master_Pass.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted master password +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 4ca41e3e-918e-419f-b7cf-22a8cdb1da0f +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\M" %destinationDirectory%\Mobaterm_MasterPass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor diff --git a/Modules/Apps/MobaXterm_Passwords_key.mkape b/Modules/Apps/MobaXterm_Passwords_key.mkape new file mode 100644 index 0000000000..22c7ccfe71 --- /dev/null +++ b/Modules/Apps/MobaXterm_Passwords_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted passwords +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: a7473175-e108-4b93-81cb-49c6e7d37ff9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\MobaXterm_Pass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor diff --git a/Modules/Apps/NTFSLogTracker_$J.mkape b/Modules/Apps/NTFSLogTracker_$J.mkape index 5fb2f306d6..57cad27b37 100644 --- a/Modules/Apps/NTFSLogTracker_$J.mkape +++ b/Modules/Apps/NTFSLogTracker_$J.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Hyun Yi @hyuunnn and Vito Alfano Version: 1.1 Id: 74ee5d04-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 FileMask: $J Processors: diff --git a/Modules/Apps/NTFSLogTracker_$LogFile.mkape b/Modules/Apps/NTFSLogTracker_$LogFile.mkape index 0511706f87..6c270e0ce7 100644 --- a/Modules/Apps/NTFSLogTracker_$LogFile.mkape +++ b/Modules/Apps/NTFSLogTracker_$LogFile.mkape @@ -3,17 +3,17 @@ Category: FileSystem Author: Hyun Yi @hyuunnn and Vito Alfano Version: 1.1 Id: 74ee60a6-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 -FileMask: $J +FileMask: $LogFile Processors: - Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe - CommandLine: -u %sourceFile% -o %destinationDirectory% + CommandLine: -l %sourceFile% -o %destinationDirectory% ExportFormat: sqlite3 - Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe - CommandLine: -u %sourceFile% -o %destinationDirectory% -c + CommandLine: -l %sourceFile% -o %destinationDirectory% -c ExportFormat: csv # Documentation diff --git a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape index 96b7be3a11..7aee35bb7f 100644 --- a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape +++ b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape @@ -1,14 +1,14 @@ Description: Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. -Category: LiveResponse +Category: Persistence Author: Andy Furnas, Encoding updates by piesecurity, Andreas Hunkeler (@Karneades) -Version: 1.4 +Version: 1.5 Id: c95e71bd-7abb-48c3-abae-f48b9ff19dec BinaryUrl: https://download.sysinternals.com/files/Autoruns.zip ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Path '%destinationDirectory%\autoruns.csv'" + CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Encoding UTF8 -Path '%destinationDirectory%\Autoruns.csv'" ExportFormat: csv # Documentation diff --git a/Modules/Apps/WinSCP_Session.mkape b/Modules/Apps/WinSCP_Session.mkape new file mode 100644 index 0000000000..6629e04af7 --- /dev/null +++ b/Modules/Apps/WinSCP_Session.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of WinSCP encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: e00dac99-3a59-4c59-911c-95eda1769250 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" %destinationDirectory%\winscp2_sessions_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor diff --git a/Modules/Apps/block-parser-zipped.mkape b/Modules/Apps/block-parser-zipped.mkape new file mode 100644 index 0000000000..d5351e2249 --- /dev/null +++ b/Modules/Apps/block-parser-zipped.mkape @@ -0,0 +1,16 @@ +Description: Block Parser Zipped +Category: EventLogs +Author: Phill Moore, Reece394 +Version: 1.1 +Id: cb817a29-bab0-4051-ac7d-7019d6e2ac65 +BinaryUrl: https://github.com/randomaccess3/block-parser +FileMask: "Microsoft-Windows-PowerShell%4Operational.evtx" +ExportFormat: zip +Processors: + - + Executable: block-parser.exe + CommandLine: -o %destinationDirectory% -z %sourceFile% + ExportFormat: zip + +# Documentation +# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html diff --git a/Modules/Compound/!EZParser.mkape b/Modules/Compound/!EZParser.mkape index 3d083a7d59..61e0b4796d 100644 --- a/Modules/Compound/!EZParser.mkape +++ b/Modules/Compound/!EZParser.mkape @@ -1,7 +1,7 @@ Description: Eric Zimmerman Parsers Category: Modules Author: Phill Moore -Version: 1.4 +Version: 1.5 Id: f531e7cc-c9f3-4d04-881b-dbc89d1e7f38 BinaryUrl: https://ericzimmerman.github.io/ ExportFormat: csv @@ -43,7 +43,7 @@ Processors: CommandLine: "" ExportFormat: "" - - Executable: RECmd_Kroll.mkape + Executable: RECmd_DFIRBatch.mkape CommandLine: "" ExportFormat: "" - diff --git a/Modules/Compound/NTFSLogTracker.mkape b/Modules/Compound/NTFSLogTracker.mkape index 4203207736..0ed73668a3 100644 --- a/Modules/Compound/NTFSLogTracker.mkape +++ b/Modules/Compound/NTFSLogTracker.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Hyun Yi @hyuunnn Version: 1.0 Id: 094e8964-ea15-4be1-869d-7b8fa1b55ada -BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/NTFS Log Tracker v1.6 CMD.zip +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 Processors: - diff --git a/Modules/Compound/NetworkActivity.mkape b/Modules/Compound/NetworkActivity.mkape new file mode 100644 index 0000000000..adab67159a --- /dev/null +++ b/Modules/Compound/NetworkActivity.mkape @@ -0,0 +1,66 @@ +Description: Parsing all information for Network Activity Category +Category: Network Activity +Author: Max Zabuty +Version: 1 +Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de +ExportFormat: json +Processors: + - + Executable: PowerShell_SMBMapping.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_SMBOpenFile.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_SMBSession.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetNeighbor.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_TCPConnections.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkAdapters.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkIPAddresses.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkIPConfiguration.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_DnsClientCache.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nbtstat_NetBIOSCache.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nbtstat_NetBIOSSessions.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Powershell_Wireless_Network_Connections.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NamedPipes.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetRoute.mkape + CommandLine: "" + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/Persistence.mkape b/Modules/Compound/Persistence.mkape new file mode 100644 index 0000000000..7f5ad6955e --- /dev/null +++ b/Modules/Compound/Persistence.mkape @@ -0,0 +1,26 @@ +Description: Parsing all Persistence category +Category: Persistence +Author: Max Zabuty +Version: 1 +Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de +ExportFormat: json +Processors: + - + Executable: Windows_schtasks.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: SysInternals_Autoruns.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_WMIProviders.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_AccessibilityFeatures.mkape + CommandLine: "" + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape b/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape index 811e985881..69855a2a73 100644 --- a/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape +++ b/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape @@ -37,3 +37,6 @@ Processors: Executable: PowerShell_Services_List.mkape CommandLine: "" ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/RECmd_AllBatchFiles.mkape b/Modules/Compound/RECmd_AllBatchFiles.mkape index 43b7dda45b..0b04319c37 100644 --- a/Modules/Compound/RECmd_AllBatchFiles.mkape +++ b/Modules/Compound/RECmd_AllBatchFiles.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: All RECmd Batch Output' Category: Registry Author: Andrew Rathbun -Version: 1.1 +Version: 1.2 Id: f2c9c95d-375e-4fb7-b069-7e9b95ea6db5 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip ExportFormat: csv @@ -23,7 +23,7 @@ Processors: CommandLine: "" ExportFormat: "" - - Executable: RECmd_Kroll.mkape + Executable: RECmd_DFIRBatch.mkape CommandLine: "" ExportFormat: "" - diff --git a/Modules/Compound/SystemInformation.mkape b/Modules/Compound/SystemInformation.mkape new file mode 100644 index 0000000000..85987627b3 --- /dev/null +++ b/Modules/Compound/SystemInformation.mkape @@ -0,0 +1,54 @@ +Description: Parsing all information for System Information Category +Category: System Information +Author: Max Zabuty +Version: 1 +Id: 223ac60b-b5be-4f79-8e16-4f16b1597f3c +ExportFormat: json +Processors: + - + Executable: PowerShell_SystemInformation.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Processes.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_ProcessesIncludingServices.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Drivers.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkShares.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_ActiveDrives.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_LocalUsers.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_LocalGroups.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_klist.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nltest.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Defender_Exclusions.mkape + CommandLine: "" + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide index e428857823..b3fbe03883 100644 --- a/Modules/CompoundModuleGuide.guide +++ b/Modules/CompoundModuleGuide.guide @@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module -BinaryUrl: https://url.goes.here.com # Required +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required ExportFormat: csv # Required FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module Processors: diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template index 52a1be753b..99f61df8bd 100644 --- a/Modules/CompoundModuleTemplate.template +++ b/Modules/CompoundModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape b/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape index c622cda995..451c266d9f 100644 --- a/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape +++ b/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape @@ -1,11 +1,11 @@ Description: 'MFTECmd: process $J / $UsnJrnl$J files' Category: FileSystem -Author: Eric Zimmerman, Thomas DIOT -Version: 1.1 +Author: Eric Zimmerman, Thomas DIOT, Reece394 +Version: 1.2 Id: 5ef67a6b-5895-46bb-af2a-3339a3227e25 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/MFTECmd.zip ExportFormat: csv -FileMask: '$UsnJrnl%3A$J|$J|UsnJrnl-J' +FileMask: '$UsnJrnl%3A$J|$J|UsnJrnl-J|$UsnJrnl_*.bin' Processors: - Executable: MFTECmd.exe diff --git a/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape b/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape index 8a622fcddb..90b3962f4b 100644 --- a/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape +++ b/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape @@ -9,12 +9,12 @@ FileMask: $MFT Processors: - Executable: MFTECmd.exe - CommandLine: -f %sourceFile% --csv %destinationDirectory% -NEWSWITCH + CommandLine: -f %sourceFile% --csv %destinationDirectory% --rs ExportFormat: csv ExportFile: MFTFileSlack.txt - Executable: MFTECmd.exe - CommandLine: -f %sourceFile% --json %destinationDirectory% -NEWSWITCH + CommandLine: -f %sourceFile% --json %destinationDirectory% --rs ExportFormat: json ExportFile: MFTFileSlack.txt diff --git a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape index 0b87152065..b956b2ba12 100644 --- a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape +++ b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: AllRegExecutablesFoundOrRun' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 23cfcb78-60bb-4b2a-a7a4-b256f42fb83b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\AllRegExecutablesFoundOrRun.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: AllRegExecutablesFoundOrRun_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape index 706be36e2e..6e3bf68023 100644 --- a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape +++ b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: BCDBootVolume' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 4de3e322-491d-44a2-a870-edf0387b41b4 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BCDBootVolume.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: BCDBootVolume_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape index 0645e0f8f8..dbd800d4f1 100644 --- a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape +++ b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: BasicSystemInfo' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: e6da3300-447a-4912-9689-7d0679cae71b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BasicSystemInfo.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: BasicSystemInfo_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_Kroll.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape similarity index 73% rename from Modules/EZTools/RECmd/RECmd_Kroll.mkape rename to Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index 6b76adc208..1b3092068d 100644 --- a/Modules/EZTools/RECmd/RECmd_Kroll.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -1,15 +1,16 @@ -Description: 'RECmd: Kroll' +Description: 'RECmd: DFIR' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.2 Id: 26e4a8f6-d745-4195-8b8e-563cf32a4952 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv Processors: - Executable: RECmd\RECmd.exe - CommandLine: -d %sourceDirectory% --bn BatchExamples\Kroll_Batch.reb --nl false --csv %destinationDirectory% + CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: DFIRBatch_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd @@ -20,5 +21,5 @@ Processors: # https://www.youtube.com/watch?v=tk9XsMHzPlM # https://www.youtube.com/watch?v=GhCZfCzn2l0 # https://leanpub.com/eztoolsmanuals -# Uses the Kroll batch command file. This file should reside within KAPE\Module\bin\RECmd\BatchExamples. +# Uses the DFIR batch command file. This file should reside within KAPE\Module\bin\RECmd\BatchExamples. # Note: --nl false replays transaction logs. If you don't want to replay transaction logs, change to --nl true. diff --git a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape index 1eb64f35e8..fb1dac7051 100644 --- a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape +++ b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: InstalledSoftware' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 82d89b1d-19c1-439b-a30d-2f8659adf691 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\InstalledSoftware.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: InstalledSoftware_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape index 6179a714b4..4944e8d0cc 100644 --- a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape +++ b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: RECmd_Batch_MC' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 8690f004-a406-40c9-b566-2fdf5f106209 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RECmd_Batch_MC.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmd_Batch_MC_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape index 80199e0e7c..fe4b4a97d3 100644 --- a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: RegistryASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 176dd6af-4077-42ee-af03-1020768149ff BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RegistryASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RegistryASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape index 1d9f7879dd..d052a5671c 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 193817d5-85a1-4dbb-b8e0-61693d2deebc BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: SoftwareASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape index d62561d573..760064c864 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareClassesASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 0e38b045-6512-41c2-962f-49a9da37b02f BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: SoftwareClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape index dc0c5ccf95..611780c629 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareWoW6432ASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 63e39ae3-63c3-44c8-86ac-fb7ac4365d7b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareWoW6432ASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: SoftwareWoW6432ASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape index 2a31142830..11c43f0587 100644 --- a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SystemASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 3ef19b6e-3489-44ee-a5fa-0245fd54ecd1 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SystemASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: SystemASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape index 1577cd6d6c..43eb5a0222 100644 --- a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: UserActivity' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 05db97da-327b-46d0-942c-a468c087c09c BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserActivity.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: UserActivity_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape index edd8f20e0c..38ca56b108 100644 --- a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: UserClassesASEPs' Category: Registry Author: Andreas Hunkeler (@Karneades) -Version: 1.0 +Version: 1.1 Id: df3d2d54-dda9-49fb-a427-c9d8348b375d BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: UserClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/ModuleGuide.guide b/Modules/ModuleGuide.guide index c9c2345b44..7d829001e3 100644 --- a/Modules/ModuleGuide.guide +++ b/Modules/ModuleGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid BinaryUrl: https://url.goes.here.com ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish diff --git a/Modules/ModuleTemplate.template b/Modules/ModuleTemplate.template index 1f5c0fbc02..b7cd70a767 100644 --- a/Modules/ModuleTemplate.template +++ b/Modules/ModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Modules/README.md b/Modules/README.md index 7bc7774088..4e3b33ebed 100644 --- a/Modules/README.md +++ b/Modules/README.md @@ -8,7 +8,7 @@ The Apps folder contains Modules for all third-party applications. ### Compound -The Compund folder contains Modules that point to other Modules. +The Compound folder contains Modules that point to other Modules. ### EZTools diff --git a/Modules/Windows/PowerShell_AccessibilityFeatures.mkape b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape new file mode 100644 index 0000000000..2676dc665e --- /dev/null +++ b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape @@ -0,0 +1,20 @@ +Description: Checks for Debugger registry value and file integrity of specific Windows features +Category: Persistence +Author: Max Zabuty +Version: 1.0 +Id: e3444190-b58e-4fe7-8048-e0bb1f40b3c7 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | Export-Csv -NoTypeInformation -Encoding UTF8 -Path \"%destinationDirectory%\AccessibilityFeaturesCheck.csv\" " + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\AccessibilityFeaturesCheck.json' " + ExportFormat: json + +# Documentation +# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9 diff --git a/Modules/Windows/PowerShell_ActiveDrives.mkape b/Modules/Windows/PowerShell_ActiveDrives.mkape new file mode 100644 index 0000000000..cbcb0fb711 --- /dev/null +++ b/Modules/Windows/PowerShell_ActiveDrives.mkape @@ -0,0 +1,18 @@ +Description: Active Drives List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 74d3505a-ec0f-4092-b121-6796583af8e0 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-PSDrive | Select Name,Provider,Root,CurrentLocation | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Active Drives.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-PSDrive | Select Name,Provider,Root,CurrentLocation | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Active Drives.csv'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-psdrive?view=powershell-7.4 diff --git a/Modules/Windows/PowerShell_DnsClientCache.mkape b/Modules/Windows/PowerShell_DnsClientCache.mkape new file mode 100644 index 0000000000..6bfc17e425 --- /dev/null +++ b/Modules/Windows/PowerShell_DnsClientCache.mkape @@ -0,0 +1,18 @@ +Description: Displaying DNS Client Cache +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: 0bec8e98-4111-4d91-a774-0b8d50eaf430 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-DnsClientCache | Select Entry,Name,Type,Status,Section,TimeToLive,DataLength,Data | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\DNS Client Cache.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-DnsClientCache | Select Entry,Name,Type,Status,Section,TimeToLive,DataLength,Data | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\DNS Client Cache.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_Drivers.mkape b/Modules/Windows/PowerShell_Drivers.mkape new file mode 100644 index 0000000000..0143082fbd --- /dev/null +++ b/Modules/Windows/PowerShell_Drivers.mkape @@ -0,0 +1,18 @@ +Description: Drivers List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 81690a49-c71f-4913-9fb9-430ffa47b413 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject -Class Win32_SystemDriver | Select DisplayName,Name,Description,State,PathName,ServiceType | Export-Csv -NoTypeInformation -Path '%destinationDirectory%\Drivers.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject -Class Win32_SystemDriver | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Drivers.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemdriver diff --git a/Modules/Windows/PowerShell_LocalGroups.mkape b/Modules/Windows/PowerShell_LocalGroups.mkape new file mode 100644 index 0000000000..bbb22f4640 --- /dev/null +++ b/Modules/Windows/PowerShell_LocalGroups.mkape @@ -0,0 +1,18 @@ +Description: Local Groups List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e753b244-382b-4143-976e-1968c5b38973 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalGroup | select * | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Local Groups.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalGroup | select * | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Local Groups.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_LocalUsers.mkape b/Modules/Windows/PowerShell_LocalUsers.mkape new file mode 100644 index 0000000000..618c623e11 --- /dev/null +++ b/Modules/Windows/PowerShell_LocalUsers.mkape @@ -0,0 +1,18 @@ +Description: Local Users List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 1bce3dc1-72d5-4b5d-9ca9-c15745aadc7e +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalUser | select * | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Local Users.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalUser | select * | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Local Users.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localuser?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_NamedPipes.mkape b/Modules/Windows/PowerShell_NamedPipes.mkape index cd4bc24872..d3563b62a9 100644 --- a/Modules/Windows/PowerShell_NamedPipes.mkape +++ b/Modules/Windows/PowerShell_NamedPipes.mkape @@ -1,15 +1,18 @@ Description: Named Pipes List -Category: LiveResponse -Author: nov3mb3r +Category: Network Activity +Author: Max Zabuty Version: 1.0 Id: f1f5f93d-d03b-45f4-bf72-7b8f9dc7ac23 -ExportFormat: txt +ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Format-Table FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime" - ExportFormat: txt - ExportFile: pipes.txt + CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Named Pipes.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Named Pipes.json'" + ExportFormat: json # Documentation # https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes diff --git a/Modules/Windows/PowerShell_NetNeighbor.mkape b/Modules/Windows/PowerShell_NetNeighbor.mkape new file mode 100644 index 0000000000..752ad9d76b --- /dev/null +++ b/Modules/Windows/PowerShell_NetNeighbor.mkape @@ -0,0 +1,18 @@ +Description: Displaying ARP Table using PowerShell +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: f25cbff9-fb0c-406b-ba70-c61709c102ae +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv' " + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\ARP Table.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetRoute.mkape b/Modules/Windows/PowerShell_NetRoute.mkape new file mode 100644 index 0000000000..343a7a0b55 --- /dev/null +++ b/Modules/Windows/PowerShell_NetRoute.mkape @@ -0,0 +1,20 @@ +Description: Collecting Network Routing Table Information +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: f1eaaf30-3b13-4c0e-836c-071f7a668948 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Routing Table.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Routing Table.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkAdapters.mkape b/Modules/Windows/PowerShell_NetworkAdapters.mkape new file mode 100644 index 0000000000..007e0c9d3a --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkAdapters.mkape @@ -0,0 +1,18 @@ +Description: Collecting Network Adapters Information +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: 15ab571c-1fde-433e-a9b7-9132542ff07f +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetAdapter | Select Name, Status, MacAddress, PhysicalMediaType, DriverName, DriverInformation, DriverVersion, DriverDescription, SystemName, PnPDeviceID | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Adapters.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetAdapter | Select Name, Status, MacAddress, PhysicalMediaType, DriverName, DriverInformation, DriverVersion, DriverDescription, SystemName, PnPDeviceID | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Adapters.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape new file mode 100644 index 0000000000..10b788f65f --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape @@ -0,0 +1,18 @@ +Description: Collecting Network IP Address Information +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: 85d5e5cb-630c-4e70-9153-738e30c9d973 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPAddress | Select IPAddress,InterfaceAlias,AddressFamily,Type,PrefixLength,PrefixOrigin,SuffixOrigin,AddressState | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Addresses.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPAddress | Select IPAddress,InterfaceAlias,AddressFamily,Type,PrefixLength,PrefixOrigin,SuffixOrigin,AddressState | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Addresses.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape new file mode 100644 index 0000000000..14a7448f33 --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape @@ -0,0 +1,20 @@ +Description: Collecting Network IP Configuration and Parsing Specific Fields +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: 76a02001-2a44-4e19-a3f7-14d2352f678d +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkShares.mkape b/Modules/Windows/PowerShell_NetworkShares.mkape new file mode 100644 index 0000000000..47daaca7f2 --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkShares.mkape @@ -0,0 +1,18 @@ +Description: Displaying Network Shares +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e4442a99-ec52-425d-aa53-ef1ee179ef45 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject —Class Win32_Share | Select Name,Path,Description | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Shares.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject —Class Win32_Share | Select Name,Path,Description | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Shares.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share diff --git a/Modules/Windows/PowerShell_Processes.mkape b/Modules/Windows/PowerShell_Processes.mkape new file mode 100644 index 0000000000..dec8212aee --- /dev/null +++ b/Modules/Windows/PowerShell_Processes.mkape @@ -0,0 +1,18 @@ +Description: Display a running process list with a variety of fields - modified +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 7bc494dd-d8c2-4e6f-87f5-817c32d06493 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},@{Label='Creation Date'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.CreationDate)}},ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA1'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA1CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\Processes.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},@{Label='Creation Date'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.CreationDate)}},ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA1'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA1CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | ConvertTo-Json -Encoding UTF8 -FilePath '%destinationDirectory%\Processes.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape b/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape new file mode 100644 index 0000000000..334addd82f --- /dev/null +++ b/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape @@ -0,0 +1,14 @@ +Description: Processes list including the services running them +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 021ed07e-f2ea-4ec7-9eba-bc1e1576aa46 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "tasklist /svc /FO csv | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Process_Including_Services.csv'" + ExportFormat: csv + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist diff --git a/Modules/Windows/PowerShell_RecycleBinParsing.mkape b/Modules/Windows/PowerShell_RecycleBinParsing.mkape new file mode 100644 index 0000000000..2ce89b94e2 --- /dev/null +++ b/Modules/Windows/PowerShell_RecycleBinParsing.mkape @@ -0,0 +1,22 @@ +Description: Parses the Recycle Bin, gathering details about deleted files and exports the results in CSV and JSON formats. (Time in UTC) +Category: FileDeletion +Author: Max Zabuty +Version: 1.0 +Id: 3d845a61-5f0e-4d4f-bf57-b0e77b6b5db1 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\RecycleBin.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\RecycleBin.json'" + ExportFormat: json + +# Documentation +# https://forensafe.com/blogs/recycleBin.html +# https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal +# https://www.devhut.net/vba-shell-application-deep-dive/ diff --git a/Modules/Windows/PowerShell_SMBMapping.mkape b/Modules/Windows/PowerShell_SMBMapping.mkape index eb88408470..b2189434ae 100644 --- a/Modules/Windows/PowerShell_SMBMapping.mkape +++ b/Modules/Windows/PowerShell_SMBMapping.mkape @@ -1,14 +1,18 @@ Description: Retrieves the Server Message Block (SMB) client directory mappings. It replaces the command net use. -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: 36092684-5d40-4159-baed-822b7eaaf0a0 ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status | Export-Csv -Path %destinationDirectory%\Net_Use.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.json' " + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbmapping?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_SMBOpenFile.mkape b/Modules/Windows/PowerShell_SMBOpenFile.mkape index aba4183288..a1d1638d23 100644 --- a/Modules/Windows/PowerShell_SMBOpenFile.mkape +++ b/Modules/Windows/PowerShell_SMBOpenFile.mkape @@ -1,14 +1,18 @@ Description: Retrieves basic information about the files that are open via SMB -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: f93f31dc-2979-4279-b1f7-a4771b7ed1fa ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | Export-Csv -Path %destinationDirectory%\Net_Files.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Open Files.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\SMB Open Files.json'" + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbopenfile?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_SMBSession.mkape b/Modules/Windows/PowerShell_SMBSession.mkape index eb9c88fcd1..30f9d1ae93 100644 --- a/Modules/Windows/PowerShell_SMBSession.mkape +++ b/Modules/Windows/PowerShell_SMBSession.mkape @@ -1,14 +1,18 @@ Description: Retrieves basic information about active SMB sessions. It replaces the command net use. -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: 3d38b9bb-64dd-440e-9a01-8db0feceb3a7 ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | Export-Csv -Path %destinationDirectory%\Net_Sessions.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Session.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath 'SMB Session.json'" + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbsession?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_SystemInformation.mkape b/Modules/Windows/PowerShell_SystemInformation.mkape new file mode 100644 index 0000000000..fd001d99e4 --- /dev/null +++ b/Modules/Windows/PowerShell_SystemInformation.mkape @@ -0,0 +1,14 @@ +Description: Specific System Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 92ce6a73-aee4-4040-b827-84973d90c634 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$systemInfo = @{}; $systemInfo['Host Name'] = $env:COMPUTERNAME; $systemInfo['OS Name'] = (Get-CimInstance Win32_OperatingSystem).Caption; $systemInfo['OS Version'] = (Get-CimInstance Win32_OperatingSystem).Version; $systemInfo['OS Architecture'] = (Get-CimInstance Win32_Processor).AddressWidth.ToString() + '-Bit'; $systemInfo['Original Install Date'] = (Get-CimInstance Win32_OperatingSystem).InstallDate; $systemInfo['System Boot Time'] = (Get-CimInstance Win32_OperatingSystem).LastBootUpTime; $systemInfo['System Manufacturer'] = (Get-CimInstance Win32_ComputerSystem).Manufacturer; $systemInfo['System Model'] = (Get-CimInstance Win32_ComputerSystem).Model; $systemInfo['BIOS Version'] = (Get-CimInstance Win32_BIOS).SMBIOSBIOSVersion; $systemInfo['Boot Device'] = (Get-CimInstance Win32_ComputerSystem).BootDevice; $systemInfo['Time Zone'] = (Get-CimInstance Win32_TimeZone).Caption; $totalPhysicalMemory = [math]::Round((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB); $systemInfo['Total Physical Memory'] = \"$totalPhysicalMemory GB\"; $systemInfo['Domain'] = (Get-CimInstance Win32_ComputerSystem).Domain; $systemInfo['Logon Server'] = (Get-CimInstance Win32_ComputerSystem).PrimaryOwnerName; $systemInfo['Hotfix(s)'] = (Get-HotFix).HotFixID -join ', '; $networkAdapters = Get-CimInstance Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }; $networkCards = $networkAdapters | ForEach-Object { $_.Description }; $systemInfo['Network Card(s)'] = $networkCards -join ', '; [PSCustomObject]$systemInfo | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\System Information.csv'" + ExportFormat: csv + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn diff --git a/Modules/Windows/PowerShell_TCPConnections.mkape b/Modules/Windows/PowerShell_TCPConnections.mkape new file mode 100644 index 0000000000..368accde20 --- /dev/null +++ b/Modules/Windows/PowerShell_TCPConnections.mkape @@ -0,0 +1,18 @@ +Description: TCP Established Connections including DNSCache and process information +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: e2c9b4f3-5e2a-4bce-bbcf-8b473b3bb167 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$connections = @(); if($PSVersionTable.PSVersion.Major -lt 5){ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.RemotePort }) } } else{ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'UserName'=(gps -Id $_.OwningProcess -IncludeUserName).UserName; 'Process Name'=(gps -Id $_.OwningProcess).Name; 'Process Path'=(gps -Id $_.OwningProcess).Path; 'OwningProcess'=$_.OwningProcess; 'LocalAddress'=$_.LocalAddress; 'LocalPort'=$_.RemotePort; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.LocalPort }) } }; $connections | Export-Csv -NoTypeInformation -Path '%destinationDirectory%\TCPConnections.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$connections = @(); if($PSVersionTable.PSVersion.Major -lt 5){ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.RemotePort }) } } else{ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'UserName'=(gps -Id $_.OwningProcess -IncludeUserName).UserName; 'Process Name'=(gps -Id $_.OwningProcess).Name; 'Process Path'=(gps -Id $_.OwningProcess).Path; 'OwningProcess'=$_.OwningProcess; 'LocalAddress'=$_.LocalAddress; 'LocalPort'=$_.RemotePort; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.LocalPort }) } }; $connections | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\TCPConnections.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_WMIProviders.mkape b/Modules/Windows/PowerShell_WMIProviders.mkape new file mode 100644 index 0000000000..b71f1171af --- /dev/null +++ b/Modules/Windows/PowerShell_WMIProviders.mkape @@ -0,0 +1,18 @@ +Description: Output of WMI Event Consumers, Filters, and Filter to Consumer Binders - All to CSV and JSON +Category: Persistence +Author: Max Zabuty +Version: 1.0 +Id: 8a5e83ae-4470-46d7-9812-5f713e0e0775 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "New-Item -ItemType Directory -Path '%destinationDirectory%\WMI Providers' | Out-Null; foreach ($NameSpace in 'root\subscription','root\default') { Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventConsumer' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Name, SourceName, @{name='InsertionStringTemplates';expression={$_.InsertionStringTemplates -join ','}} | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Event Consumers.csv'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventFilter' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, EventNamespace, Name, Query, QueryLanguage | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Event Filters.csv'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __FilterToConsumerBinding' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Consumer, Filter | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Filter Consumer Binders.csv' }" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "New-Item -ItemType Directory -Path '%destinationDirectory%\WMI Providers' | Out-Null; foreach ($NameSpace in 'root\subscription','root\default') { Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventConsumer' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Name, SourceName, @{name='InsertionStringTemplates';expression={$_.InsertionStringTemplates -join ','}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Event Consumers.json'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventFilter' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, EventNamespace, Name, Query, QueryLanguage | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Event Filters.json'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __FilterToConsumerBinding' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Consumer, Filter | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Filter Consumer Binders.json' }" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers diff --git a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape new file mode 100644 index 0000000000..59ec54c7a3 --- /dev/null +++ b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape @@ -0,0 +1,30 @@ +Description: Collecting Wi-Fi Profiles and Passwords +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: e4d8433b-506b-4053-8226-e2c4938ccba2 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "(netsh wlan show profiles) | Select-String '\:(.+)$' | ForEach-Object { + $name=$_.Matches.Groups[1].Value.Trim(); + $profileDetails=(netsh wlan show profile name=$name key=clear); + $password=($profileDetails | Select-String 'Key Content\W+\:(.+)$').Matches.Groups[1].Value.Trim(); + [PSCustomObject]@{ SSID=$name; PASSWORD=$password } + } | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Wi-Fi Profiles.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "(netsh wlan show profiles) | Select-String '\:(.+)$' | ForEach-Object { + $name=$_.Matches.Groups[1].Value.Trim(); + $profileDetails=(netsh wlan show profile name=$name key=clear); + $password=($profileDetails | Select-String 'Key Content\W+\:(.+)$').Matches.Groups[1].Value.Trim(); + [PSCustomObject]@{ SSID=$name; PASSWORD=$password } + } | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Wi-Fi Profiles.json'" + ExportFormat: json + +# Documentation +# N/A diff --git a/Modules/Windows/Windows_klist.mkape b/Modules/Windows/Windows_klist.mkape new file mode 100644 index 0000000000..8d158a9cd8 --- /dev/null +++ b/Modules/Windows/Windows_klist.mkape @@ -0,0 +1,15 @@ +Description: Gets Kerberos Tickets +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e9af32c1-2a2c-4d96-9798-f6829681da83 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\klist.exe + CommandLine: "" + ExportFormat: txt + ExportFile: KerberosTickets.txt + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist diff --git a/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape b/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape index 56049fc416..c3593a34e1 100644 --- a/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape +++ b/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape @@ -1,6 +1,6 @@ Description: NBTStat_NETBIOS_Cache -Category: LiveResponse -Author: Mike Cary +Category: Network Activity +Author: Mike Cary, Max Zabuty Version: 1.0 Id: d0309794-03b1-40bf-bbdd-12fe77f5e0a6 ExportFormat: txt @@ -9,7 +9,7 @@ Processors: Executable: C:\Windows\System32\nbtstat.exe CommandLine: -c ExportFormat: txt - ExportFile: netbios_cache.txt + ExportFile: NetBIOS Cache.txt # Documentation # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat diff --git a/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape b/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape index 7172c84c08..3553eedfe7 100644 --- a/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape +++ b/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape @@ -1,6 +1,6 @@ Description: NBTStat_NETBIOS_Sessions -Category: LiveResponse -Author: Mike Cary +Category: Network Activity +Author: Mike Cary, Max Zabuty Version: 1.0 Id: 340d77a6-a9bd-400b-b3b6-bdd5a2085e3c ExportFormat: txt @@ -9,7 +9,7 @@ Processors: Executable: C:\Windows\System32\nbtstat.exe CommandLine: -s ExportFormat: txt - ExportFile: netbios_sessions.txt + ExportFile: NetBIOS Session.txt # Documentation # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat diff --git a/Modules/Windows/Windows_nltest.mkape b/Modules/Windows/Windows_nltest.mkape new file mode 100644 index 0000000000..7d46715838 --- /dev/null +++ b/Modules/Windows/Windows_nltest.mkape @@ -0,0 +1,15 @@ +Description: Collects Domain Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 38eedacb-191a-43cf-aaf1-ff183c63c2e9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\nltest.exe + CommandLine: /trusted_domains + ExportFormat: txt + ExportFile: DomainInformation.txt + +# Documentation +# https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11) diff --git a/Modules/Windows/Windows_schtasks.mkape b/Modules/Windows/Windows_schtasks.mkape index 25902bb1f9..ce5908ff55 100644 --- a/Modules/Windows/Windows_schtasks.mkape +++ b/Modules/Windows/Windows_schtasks.mkape @@ -1,7 +1,7 @@ Description: Displays all scheduled tasks -Category: LiveResponse +Category: Persistence Author: Brian Maloney -Version: 1.1 +Version: 1.2 Id: 66d26feb-6dd7-4b12-b88b-b43ee17cd2c7 ExportFormat: csv Processors: @@ -9,12 +9,12 @@ Processors: Executable: C:\Windows\System32\schtasks.exe CommandLine: /Query /V /FO CSV ExportFormat: csv - ExportFile: scheduled_tasks.csv + ExportFile: Scheduled Tasks.csv - Executable: C:\Windows\System32\schtasks.exe CommandLine: /Query /XML ExportFormat: xml - ExportFile: scheduled_tasks.xml + ExportFile: Scheduled Tasks.xml # Documentation # https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks diff --git a/Targets/Antivirus/ESET.tkape b/Targets/Antivirus/ESET.tkape index 197835fe28..a6c6374449 100644 --- a/Targets/Antivirus/ESET.tkape +++ b/Targets/Antivirus/ESET.tkape @@ -33,7 +33,7 @@ Targets: - Name: SYSTEM user quarantine Category: Antivirus - Path: C:\\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\ + Path: C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\ Recursive: true # Documentation diff --git a/Targets/Antivirus/MicrosoftSafetyScanner.tkape b/Targets/Antivirus/MicrosoftSafetyScanner.tkape new file mode 100644 index 0000000000..413226e192 --- /dev/null +++ b/Targets/Antivirus/MicrosoftSafetyScanner.tkape @@ -0,0 +1,14 @@ +Description: Microsoft Safety Scanner +Author: Geir Olav Skei +Version: 1.0 +Id: 8e425594-c433-4017-adcd-f5bbcde12492 +RecreateDirectories: true +Targets: + - + Name: Windows Safety Scanner Logs + Category: Antivirus + Path: C:\Windows\Debug\ + FileMask: msert.log + +# Documentation +# https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download diff --git a/Targets/Antivirus/WindowsDefender.tkape b/Targets/Antivirus/WindowsDefender.tkape index d93c821c69..e18d00f36e 100644 --- a/Targets/Antivirus/WindowsDefender.tkape +++ b/Targets/Antivirus/WindowsDefender.tkape @@ -44,6 +44,11 @@ Targets: Category: Antivirus Path: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ Recursive: true + - + Name: Windows Defender Detections.log + Category: Antivirus + Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\ + FileMask: Detections.log # Documentation # https://knez.github.io/posts/how-to-extract-quarantine-files-from-windows-defender/ diff --git a/Targets/Apps/4KVideoDownloader.tkape b/Targets/Apps/4KVideoDownloader.tkape index adae505ef0..6116e0a8f6 100644 --- a/Targets/Apps/4KVideoDownloader.tkape +++ b/Targets/Apps/4KVideoDownloader.tkape @@ -1,6 +1,6 @@ Description: 4K Video Downloader Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: e33d4392-459b-459e-82e0-d9c624adbfbc RecreateDirectories: true Targets: @@ -10,6 +10,12 @@ Targets: Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader FileMask: "*.sqlite" Comment: "Grabs database(s) that stores user download history" + - + Name: 4K Video Downloader+ + Category: Apps + Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+ + FileMask: "*.sqlite" + Comment: "Grabs database(s) that stores user download history" # Documentation # https://www.4kdownload.com/products/product-videodownloader diff --git a/Targets/Apps/ISLOnline.tkape b/Targets/Apps/ISLOnline.tkape new file mode 100644 index 0000000000..4147530959 --- /dev/null +++ b/Targets/Apps/ISLOnline.tkape @@ -0,0 +1,64 @@ +Description: ISLOnline Remote Access Tool +Author: Thomas Burnette +Version: 1.0 +Id: cf494b12-b096-43cf-99a7-c8031fc801b1 +RecreateDirectories: true +Targets: + - + Name: ISLOnline Logs - Sessions - *.out + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light Client\*\ + FileMask: 'ISLClient.out' + Comment: "Collects client session logs for one or more sessions" + - + Name: ISLOnline Logs - Session Configurations + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\ + FileMask: '*' + Comment: "Configurations for ISL Light sessions" + - + Name: ISL AlwaysOn Logs - Sessions List + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: 'session.xml' + Comment: "Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn Logs - Sessions + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\ + FileMask: 'trace.out' + Comment: "Detailed log for each session for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn - App Logs + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: '*.out' + Comment: "Application logs containg various artifacts." + - + Name: ISL Light Logs - Sessions + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light\*\ + FileMask: 'trace.out' + Comment: "Collects client session logs for one or more sessions" + - + Name: ISL AlwaysOn - Email Configuration + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status\ + FileMask: 'tray' + Comment: "This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn - Configuration + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: 'StaticConfiguration.ini' + Comment: "Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)" + +# Documentation +# https://www.islonline.com/us/enus/ +# https://www.anomali.com/blog/anomali-cyber-watch-earth-kitsune-uses-chrome-native-messaging-for-persistence-wip26-targets-middle-east-telco-from-abused-clouds-azerbaijan-sponsored-group-geofenced-its-payloads-to-armenian-ips +# https://www.bleepingcomputer.com/news/security/coinbase-cyberattack-targeted-employees-with-fake-sms-alert/ +# ISL Online is a remote access tool with several methods of connecting to clients. ISL Light allows for installed or run once clients. +# ISL AlwaysOn allows for unattended access to clients and requires elevated privileges to install the ISL Online client. +# Forensic artifacts vary based on method of use. +# One of the most common methods of connecting to a client is to ask them to navigate to islonline.net and enter a connection code which will then download a single use ISL client. +# The most useful artifacts are ISLClient.out, trace.out, and session.xml. With these files you can identify how many sessions occured, when they occurred, as well as what took place (ie. file transfers in or out) diff --git a/Targets/Apps/ITarian.tkape b/Targets/Apps/ITarian.tkape new file mode 100644 index 0000000000..c2ed4aeddc --- /dev/null +++ b/Targets/Apps/ITarian.tkape @@ -0,0 +1,29 @@ +Description: ITarian RMM +Author: Phill Moore +Version: 1.0 +Id: aa387dbf-3326-a9c7-4d61-7d62197341a3 +RecreateDirectories: true +Targets: + - + Name: ITarian + Category: Apps + Path: C:\Program Files\ITarian\Endpoint Manager\rmmlogs + Comment: "" + - + Name: ITarian + Category: Apps + Path: C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs + Comment: "" + - + Name: Comodo + Category: Apps + Path: C:\Program Files\Comodo\Endpoint Manager\rmmlogs + Comment: "" + - + Name: ITarian + Category: Apps + Path: C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs + Comment: "" + +# Documentation +# https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader diff --git a/Targets/Apps/Idrive.tkape b/Targets/Apps/Idrive.tkape new file mode 100644 index 0000000000..823344bf19 --- /dev/null +++ b/Targets/Apps/Idrive.tkape @@ -0,0 +1,100 @@ +Description: Idrive Backup Artifacts +Author: Thomas Burnette +Version: 1.0 +Id: d5f9d7ac-4b34-47ad-beda-123c6f9cf73e +RecreateDirectories: true +Targets: + - + Name: Idrive Cleanup Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each archive cleanup operation" + - + Name: Idrive Backup Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Backup\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each backup operation" + - + Name: Idrive Delete Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Delete\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each delete operation" + - + Name: Idrive Restore Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Restore\ + FileMask: "*" + Comment: "Contains individual log files for each restore operation" + - + Name: Idrive Backup Summary + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\ + FileMask: "*xml" + Comment: "Contains summary of each backup session" + - + Name: Idrive Tracefile + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Tracefile.txt + FileMask: "Tracefile.txt" + Comment: "Application log which includes error logs for failed uploads" + - + Name: Idrive Mapped Drives + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "IDMappedDrives.txt" + Comment: "List of mapped drives for backup" + - + Name: Idrive Backup Schedule + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "schedule.xml" + Comment: "Backup schedule configurations" + - + Name: Idrive Schedule History + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "Sch_Trace.txt" + Comment: "History of schedule configurations" + - + Name: Idrive Configuration + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "idrive.ini" + Comment: "List of Idrive configuration options" + - + Name: Idrive Local Drives + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "get_Alldrives.txt" + Comment: "List of all local drives" + - + Name: Idrive Exclusion Configurations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "Exclude*" + Comment: "Files pertaining to exclusion configurations" + - + Name: Idrive User Details + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "AutoComp.ini" + Comment: "Idrive username, Scheduler notification emails, local username" + - + Name: Idrive SQL Databse + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\ + FileMask: "*.ibds" + Comment: "Sql database of local files that are backed up" + +# Documentation +# https://www.idrive.com/ +# IDrive provides Online cloud Backup for PCs, Macs, iPhones, Android and other Mobile Devices. +# The most important files are likely to be the log files locatd in C:\ProgramData\IDrive\IBCOMMON\*\Session\Backup\*. +# A new log file is created for each backup session and contains the file name, directory, file size, and time of backup for each file as well as a backup summary. +# The next most important file is likely to be C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds, which is a Sqlite database that contains the file name, directory, and file size of files that are backed up from a local drive. diff --git a/Targets/Apps/Megasync.tkape b/Targets/Apps/Megasync.tkape new file mode 100644 index 0000000000..887e5ebda2 --- /dev/null +++ b/Targets/Apps/Megasync.tkape @@ -0,0 +1,14 @@ +Description: MegaSync Data Collection +Author: Vito Alfano +Version: 1.0 +Id: a6c7f66e-b37c-4895-98c3-4eb9775623cf +RecreateDirectories: true +Targets: + - + Name: MegaSync Folder + Category: ApplicationLogs + Path: C:\Users\%user%\AppData\Local\Mega Limited\MEGAsync\ + Recursive: true + +# Documentation +# N/A diff --git a/Targets/Apps/MeshAgent.tkape b/Targets/Apps/MeshAgent.tkape new file mode 100644 index 0000000000..458c808388 --- /dev/null +++ b/Targets/Apps/MeshAgent.tkape @@ -0,0 +1,25 @@ +Description: MeshAgent log and configuration files +Author: Geir Olav Skei, Atea IRT +Version: 1.0 +Id: a96457f4-a65e-42bb-8bc8-6ac3df680689 +RecreateDirectories: true +Targets: + - + Name: MeshAgent .msh (configuration) file + Category: Apps + Path: C:\Program Files\Mesh Agent\ + Recursive: true + FileMask: "*.msh" + Comment: "Grabs all .msh (config) files present in this folder" + - + Name: MeshAgent log file + Category: Logs + Path: C:\Program Files\Mesh Agent\ + Recursive: true + FileMask: "*.log" + Comment: "Grabs all .log files present in this folder" + +# Documentation +# https://github.com/Ylianst/MeshAgent +# https://ylianst.github.io/MeshCentral/meshcentral/agents/ +# https://meshcentral.com/ diff --git a/Targets/Apps/NetMonitorforEmployeesProfessional.tkape b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape new file mode 100644 index 0000000000..df4df10856 --- /dev/null +++ b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape @@ -0,0 +1,54 @@ +Description: Net Monitor for Employees Pro +Author: Tristan PINCEAUX - CERT CWATCH - ALMOND +Version: 1.0 +Id: f944d8e5-e7c6-49ac-9c26-b1360fa518cc +RecreateDirectories: true +Targets: + - + Name: Net Monitor Server Logs + Category: ApplicationLogs + Path: C:\ProgramData\Net Monitor for Employees Pro\log\%user%\ + Recursive: true + Comment: "Contains Net Monitor server logs" + + - + Name: Net Monitor Server Data + Category: Communication + Path: C:\ProgramData\Net Monitor for Employees Pro\data\ + Recursive: true + Comment: "Contains Net Monitor server data - Indicates what have been seen as the attacker" + + - + Name: Net Monitor Server Config + Category: Apps + Path: C:\ProgramData\Net Monitor for Employees Pro\config\ + Recursive: true + Comment: "Contains Net Monitor server config" + + - + Name: Net Monitor Server Temp Folder + Category: Apps + Path: C:\ProgramData\Net Monitor for Employees Pro\tmp\ + Recursive: true + + - + Name: Net Monitor Client Logs + Category: ApplicationLogs + Path: C:\Program Files*\Net Monitor for Employees Pro\log\ + Recursive: true + Comment: "Contains Net Monitor client logs" + + - + Name: Net Monitor Client Config + Category: ApplicationLogs + Path: C:\Program Files*\Net Monitor for Employees Pro\config\ + Recursive: true + Comment: "Contains Net Monitor client config" + +# Documentation +# https://networklookout.com/ +# https://networklookout.com/doc/NetMonitorForEmployees.pdf +# Net Monitor for employees is a monitoring software for office, that allows live screen monitoring and employee activity tracking. +# It can be used as remote access tool, to control applications and processes, to fetch and drop files on target, and to deploy further malicious binaries. +# It can also be used as a keylogger to collect further credentials on compromised targets. +# We have seen this tool used in financial scam and data theft. diff --git a/Targets/Apps/Notion.tkape b/Targets/Apps/Notion.tkape new file mode 100644 index 0000000000..4bc6c86202 --- /dev/null +++ b/Targets/Apps/Notion.tkape @@ -0,0 +1,24 @@ +Description: Notion Note-Taking App +Author: Thomas Burnette +Version: 1.0 +Id: 95afe81f-6301-4a7f-996b-c69443e7c2d9 +RecreateDirectories: true +Targets: + - + Name: Notion Local Storage + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion + FileMask: 'notion.db' + Comment: "Local storage file containing all pages, databases, users, etc." + - + Name: Notion Custom Dictionary + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion\Partitions\notion + FileMask: 'Custom Dictionary.txt' + +# Documentation +# https://www.notion.so/ +# Notion is a freemium productivity and note-taking app. It includes organizational tools such as task management, project tracking, to-do lists, and bookmarking. +# When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a SQLite database, notion.db. +# This includes creation and modification timestamps for all entries. +# Additionally, Notion stores the user's Custom Dictionary in a text file. diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape new file mode 100644 index 0000000000..b233eb1bef --- /dev/null +++ b/Targets/Apps/QlikSense.tkape @@ -0,0 +1,46 @@ +Description: Qlik Sense +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6e979be3-4913-4d16-a508-cc3284194c2b +RecreateDirectories: true +Targets: + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.txt' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.log' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.txt' + Comment: "Collects the scheduler logs for Qlik Sense" + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.log' + Comment: "Collects the scheduler logs for Qlik Sense" + +# Documentation +# Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. +# We have seen three vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed Qlik solution in a recent Cactus Ransomware Campaign: +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ +# You can find details on the full exploit here: +# https://www.praetorian.com/blog/qlik-sense-technical-exploit/ +# https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ diff --git a/Targets/Apps/Robo-FTP.tkape b/Targets/Apps/Robo-FTP.tkape new file mode 100644 index 0000000000..a4720d5157 --- /dev/null +++ b/Targets/Apps/Robo-FTP.tkape @@ -0,0 +1,94 @@ +Description: Robo-FTP +Author: Thomas Burnette +Version: 1.0 +Id: d23bbad5-8c40-407f-9224-8a8e613f9730 +RecreateDirectories: true +Targets: + - + Name: Robo-FTP User Scripts + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Scripts\ + FileMask: "*.s" + Comment: "Custom scripts created by each user" + - + Name: Robo-FTP User Debug Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Debug\ + FileMask: "*.log" + Comment: "Debug logs generated for each user, if enabled" + - + Name: Robo-FTP User Script/Trace Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Logs\ + FileMask: "*" + Comment: "Script and Trace logs generated for each user" + - + Name: Robo-FTP User XML Config + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\ + FileMask: "config.xml" + Comment: "Config.xml unique to each user. Contains list of custom scripts and ftp sites" + - + Name: Robo-FTP User SSH Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\ + FileMask: "*" + Comment: "Saved SSH keys for each user" + - + Name: Robo-FTP User SSL Certificates + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\ + FileMask: "*" + Comment: "Saved SSL Certificates for each user" + - + Name: Robo-FTP User PGP Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\ + FileMask: "*" + Comment: "Saved PGP Keys for each user" + - + Name: Robo-FTP SSH Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\ + FileMask: "*" + Comment: "Shared SSH keys" + - + Name: Robo-FTP SSL Certificates + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\ + FileMask: "*" + Comment: "Shared SSL Certificates" + - + Name: Robo-FTP PGP Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\ + FileMask: "*" + Comment: "Shared PGP Keys" + - + Name: Robo-FTP Debug Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\Debug\ + FileMask: "*" + Comment: "Debug logs generated by Robo-FTP" + - + Name: Robo-FTP Script/Trace Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\Logs\ + FileMask: "*" + Comment: "Script and Trace logs generated by Robo-FTP" + - + Name: Robo-FTP XML Config + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\ + FileMask: "config.xml" + Comment: "Config.xml. Contains list of custom scripts and ftp sites" + - + Name: Robo-FTP Jobs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\ + FileMask: "SchedulerService.sqlite" + Comment: "Contains details of scheduled jobs" + +# Documentation +# https://www.robo-ftp.com/ +# Robo-FTP is an FTP client that is focused on automation through the use of scripts. diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape new file mode 100644 index 0000000000..530c1dbf19 --- /dev/null +++ b/Targets/Apps/Session.tkape @@ -0,0 +1,15 @@ +Description: Session Desktop +Author: Vito Alfano +Version: 1.0 +Id: c6633dbf-caea-48dc-90a0-25add823134d +RecreateDirectories: true +Targets: + - + Name: Session App Folder + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Session\ + Recursive: true + Comment: "Session App Folder" + +# Documentation +# N/A diff --git a/Targets/Apps/SupremoRemoteDesktop.tkape b/Targets/Apps/SupremoRemoteDesktop.tkape index 58e35f7eed..b1cc6fe0d1 100644 --- a/Targets/Apps/SupremoRemoteDesktop.tkape +++ b/Targets/Apps/SupremoRemoteDesktop.tkape @@ -1,6 +1,6 @@ Description: Supremo Remote Desktop Control Logs -Author: Sandro Heckendorn -Version: 1.0 +Author: epoxigen +Version: 1.1 Id: 0d88cf87-bbc5-4bcf-bb4f-2bc9a3e300f0 RecreateDirectories: true Targets: @@ -14,11 +14,13 @@ Targets: Name: Supremo File Transfer Inbox Category: Communications Path: C:\ProgramData\SupremoRemoteDesktop\Inbox - Comment: "Includes all files transferred to the inbox folder during a remote session" + Comment: "Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log" # Documentation # https://www.supremocontrol.com/ # Supremo Remote Desktop is a Remote Access Tool similar to TeamViewer. # Supremo.00.Incoming.log is logging the incoming remote sessions. +# Supremo.00.ReportsQueue.log is logging device related information of remote sessions. # Supremo.00.Client.log is logging application events such as program start/exit and the client-server-connections to the Supremo servers. -# The Inbox is the destination folder for incoming transferred files and may contain evidence of malware when the software is misused for scams and other shenanigans. +# Supremo.00.FileTransfer.log is logging file transfers between remote sessions. +# Keep in mind: Files can be transferred to any location on the remote client, not only into the Inbox folder. diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape new file mode 100644 index 0000000000..f9e513189d --- /dev/null +++ b/Targets/Apps/UEMS.tkape @@ -0,0 +1,30 @@ +Description: UEMS Manage Engine Agent +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 3ff43bb0-ac44-4374-ac4e-dbe104d81b60 +RecreateDirectories: true +Targets: + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects all logs for UEMS" + + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects User logs for UEMS" + +# Documentation +# https://www.manageengine.com/unified-endpoint-management-security.html +# UEMS Manage Engine Agent is a remote access tool in the ManageEngine suite. +# We have observed this tool being deployed in a recent Cactus ransomware Campaign: +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://www.linkedin.com/pulse/wheres-my-logs-uems-zoho-meeting-edition-geir-olav-skei-ua2rfv diff --git a/Targets/Apps/VisualStudioCode.tkape b/Targets/Apps/VisualStudioCode.tkape new file mode 100644 index 0000000000..00f0f63105 --- /dev/null +++ b/Targets/Apps/VisualStudioCode.tkape @@ -0,0 +1,57 @@ +Description: Visual Studio Code artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: f90fe4ce-b349-4010-8d41-3b7b8273e5fe +RecreateDirectories: true +Targets: + - + Name: VSCode Opened Files + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\History\*\ + Recursive: true + Comment: "Grabs the files in the VSCode history. These are files the user has opened with VSCode" + - + Name: VSCode Workspaces + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\globalStorage\ + FileMask: storage.json* + Comment: "Grabs the file containing information about the users workspaces" + - + Name: VSCode User extensions + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\CachedExtensions\ + FileMask: user* + Comment: "Grabs the files relating to the users installed extensions" + - + Name: VSCode User settings + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\ + FileMask: settings.json* + Comment: "Grabs the file containing the settings the user has set." + - + Name: VSCode User Preferences + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\ + FileMask: preferences* + Comment: "Grabs the file containing the preferences the user has set." + - + Name: VSCode Network Cookies + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\Network\ + FileMask: Cookies* + Comment: "Grabs the cookie files. Same format as Chromium Cookies" + - + Name: VSCode Network Persistent State + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\Network\ + FileMask: Network Persistent State* + Comment: "Grabs the Network Persistent State file. Same format as in Chromium" + - + Name: VSCode Logs + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\logs\ + Recursive: true + Comment: "Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital." + +# Documentation +# N/A diff --git a/Targets/Apps/ZohoAssist.tkape b/Targets/Apps/ZohoAssist.tkape index 0d590b5bff..88973c9b6b 100644 --- a/Targets/Apps/ZohoAssist.tkape +++ b/Targets/Apps/ZohoAssist.tkape @@ -51,3 +51,4 @@ Targets: # Documentation # https://www.zoho.com/assist/kb/logs.html +# https://www.linkedin.com/pulse/wheres-my-logs-uems-zoho-meeting-edition-geir-olav-skei-ua2rf diff --git a/Targets/Browsers/EdgeChromium.tkape b/Targets/Browsers/EdgeChromium.tkape index ff36a89225..3828f1ac1a 100644 --- a/Targets/Browsers/EdgeChromium.tkape +++ b/Targets/Browsers/EdgeChromium.tkape @@ -17,7 +17,7 @@ Targets: - Name: Edge Cookies Category: Communications - Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ + Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Network FileMask: Cookies* - Name: Edge Current Session diff --git a/Targets/Browsers/Vivaldi.tkape b/Targets/Browsers/Vivaldi.tkape new file mode 100644 index 0000000000..4dc1d3c6e5 --- /dev/null +++ b/Targets/Browsers/Vivaldi.tkape @@ -0,0 +1,99 @@ +Description: Vivaldi Artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: 27893cda-f3c7-47df-aacd-2682d49a19e5 +RecreateDirectories: true +Targets: + - + Name: Vivaldi Cookies + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + Recursive: true + FileMask: Cookies* + - + Name: Vivaldi Network Persistent State + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + Recursive: true + FileMask: Network Persistent State + - + Name: Vivaldi Favicons + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Favicons* + - + Name: Vivaldi History + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: History* + - + Name: Vivaldi Sessions Folder + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\Sessions\ + Recursive: false + - + Name: Vivaldi Login Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Login Data + - + Name: Vivaldi Network Action Predictor + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Network Action Predictor + - + Name: Vivaldi Preferences + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Preferences + - + Name: Vivaldi Top Sites + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Top Sites* + - + Name: Vivaldi Bookmarks + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Bookmarks* + - + Name: Vivaldi Visited Links + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Visited Links + - + Name: Vivaldi Web Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Web Data* + - + Name: Vivaldi User Tracking + Category: Communications + Path: C:\Users\%user%\ + FileMask: .vivaldi_reporting_data* + - + Name: Vivaldi Calendar + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Calendar* + - + Name: Vivaldi Contacts + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Contacts* + - + Name: Vivaldi Notes + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Notes* + - + Name: Vivaldi Download Metadata + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: DownloadMetadata* + + +# Documentation +# For vivaldi user tracking, see here: https://vivaldi.com/blog/how-we-count-our-users/ +# Vivaldi is Chromium, so the same artifacts can be found, however Vivaldi has a few unique ones +# Like "Notes" diff --git a/Targets/Browsers/Yandex.tkape b/Targets/Browsers/Yandex.tkape new file mode 100644 index 0000000000..f2925719f6 --- /dev/null +++ b/Targets/Browsers/Yandex.tkape @@ -0,0 +1,86 @@ +Description: Yandex Artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: 32399a9d-d891-49cc-9919-fa45cbe63683 +RecreateDirectories: true +Targets: + - + Name: Yandex Cookies + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + Recursive: true + FileMask: Cookies* + - + Name: Yandex Network Persistent State + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + Recursive: true + FileMask: Network Persistent State + - + Name: Yandex Favicons + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Favicons* + - + Name: Yandex History + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: History* + - + Name: Yandex Sessions Folder + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\ + Recursive: false + - + Name: Yandex Login Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Ya Passman Data* + - + Name: Yandex Network Action Predictor + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Network Action Predictor + - + Name: Yandex Preferences + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Preferences + - + Name: Yandex Top Sites + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Top Sites* + - + Name: Yandex Bookmarks + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Bookmarks* + - + Name: Yandex Visited Links + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Visited Links + - + Name: Yandex Web Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Web Data* + - + Name: Yandex Autofill data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Ya Autofill Data* + - + Name: Yandex Passman logs + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Passman Logs* + - + Name: Yandex Shortcuts + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Shortcuts* + +# Documentation +# N/A diff --git a/Targets/Compound/Antivirus.tkape b/Targets/Compound/Antivirus.tkape index 8287b99c52..7e39cbdb0b 100644 --- a/Targets/Compound/Antivirus.tkape +++ b/Targets/Compound/Antivirus.tkape @@ -60,6 +60,10 @@ Targets: Name: McAfee ePO Category: Antivirus Path: McAfee_ePO.tkape + - + Name: Microsoft Safety Scanner + Category: Antivirus + Path: MicrosoftSafetyScanner.tkape - Name: RogueKiller Category: Antivirus diff --git a/Targets/Compound/CloudStorage_All.tkape b/Targets/Compound/CloudStorage_All.tkape index 07692390aa..4dc536d4a0 100644 --- a/Targets/Compound/CloudStorage_All.tkape +++ b/Targets/Compound/CloudStorage_All.tkape @@ -1,6 +1,6 @@ Description: Cloud Storage Contents and Metadata Author: Chad Tilbury and Andrew Rathbun -Version: 1.3 +Version: 1.4 Id: 63c7ff1e-0fcb-45ae-9d72-29bf8458b6db RecreateDirectories: true Targets: @@ -32,6 +32,10 @@ Targets: Name: CloudStorage Metadata Category: Apps Path: CloudStorage_Metadata.tkape + - + Name: Idrive Backup + Category: Apps + Path: Idrive.tkape # Documentation # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_online_backup_services. diff --git a/Targets/Compound/CombinedLogs.tkape b/Targets/Compound/CombinedLogs.tkape index ade49fa1b3..97c92ff159 100644 --- a/Targets/Compound/CombinedLogs.tkape +++ b/Targets/Compound/CombinedLogs.tkape @@ -1,6 +1,6 @@ Description: Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs -Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target -Version: 1.2 +Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target +Version: 1.3 Id: d4fdd600-15b1-4b78-bc77-88e724861d8d RecreateDirectories: true Targets: @@ -16,6 +16,10 @@ Targets: Name: PowerShell Console Log Category: PowerShellConsoleLog Path: PowerShellConsole.tkape + - + Name: PowerShell Transcripts + Category: PowerShellTranscripts + Path: PowerShellTranscripts.tkape - Name: Windows Firewall Log Category: WindowsFirewallLogs @@ -32,3 +36,4 @@ Targets: # Documentation # v1.1 - Added the USBDevicelogs target # v1.2 - Added the .NET CLR UsageLogs target +# v1.3 - Added the PowerShell Transcripts target diff --git a/Targets/Compound/Exchange.tkape b/Targets/Compound/Exchange.tkape index 77b8d9dffb..d17a3b15b0 100644 --- a/Targets/Compound/Exchange.tkape +++ b/Targets/Compound/Exchange.tkape @@ -1,6 +1,6 @@ Description: Exchange Log Files Author: Keith Twombley -Version: 1.0 +Version: 1.1 Id: 1b54aafe-5074-4d45-b129-29107ce7f863 RecreateDirectories: true Targets: @@ -12,6 +12,10 @@ Targets: Name: Exchange TransportRoles log files Category: Logs Path: ExchangeTransport.tkape + - + Name: Exchange Setup log file + Category: Logs + Path: ExchangeSetupLog.tkape # Documentation # N/A diff --git a/Targets/Compound/P2PClients.tkape b/Targets/Compound/P2PClients.tkape index 1d36a504ec..b56f84442a 100644 --- a/Targets/Compound/P2PClients.tkape +++ b/Targets/Compound/P2PClients.tkape @@ -1,6 +1,6 @@ Description: P2P Clients Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 4357b5ff-0bd4-41c0-a644-463ea0e14c48 RecreateDirectories: true Targets: @@ -8,6 +8,10 @@ Targets: Name: DC++ Category: FileDownload Path: DC++.tkape + - + Name: eMule + Category: FileDownload + Path: eMule.tkape - Name: FrostWire Category: FileDownload diff --git a/Targets/Compound/ProgramExecution.tkape b/Targets/Compound/ProgramExecution.tkape new file mode 100644 index 0000000000..90ae0b4439 --- /dev/null +++ b/Targets/Compound/ProgramExecution.tkape @@ -0,0 +1,57 @@ +Description: Program Execution Triage Collection +Author: Max Zabuty +Version: 1 +Id: c67f2cfe-0664-41d7-9536-daf3be778e84 +RecreateDirectories: true +Targets: + - + Name: Amcache + Category: ApplicationCompatibility + Path: Amcache.tkape + - + Name: AppCompatPCA + Category: ApplicationCompatibility + Path: AppCompatPCA.tkape + - + Name: Prefetch + Category: Prefetch + Path: Prefetch.tkape + - + Name: RecentFileCache + Category: ApplicationCompatibility + Path: RecentFileCache.tkape + - + Name: Syscache + Category: Syscache + Path: Syscache.tkape + - + Name: PowerShellTranscripts + Category: PowerShellTranscripts + Path: PowerShellTranscripts.tkape + - + Name: PowerShellConsole + Category: PowerShellConsole + Path: PowerShellConsole.tkape + - + Name: WBEM + Category: WBEM + Path: WBEM.tkape + - + Name: WER + Category: WER + Path: WER.tkape + - + Name: WindowsTimeline + Category: WindowsTimeline + Path: WindowsTimeline.tkape + - + Name: JumpLists + Category: JumpLists + Path: JumpLists.tkape + - + Name: .NET CLR UsageLogs + Category: .NET CLR UsageLogs + Path: NETCLRUsageLogs.tkape + +# Documentation +# Collecting different artifacts related to program execution on the host diff --git a/Targets/Compound/RegistryHives.tkape b/Targets/Compound/RegistryHives.tkape index c8b7db41bb..8e1ca14e6e 100644 --- a/Targets/Compound/RegistryHives.tkape +++ b/Targets/Compound/RegistryHives.tkape @@ -1,6 +1,6 @@ Description: System and user related Registry hives Author: Eric Zimmerman -Version: 1.1 +Version: 1.2 Id: 76af6086-bd0b-429f-bfd7-4a8e8ff8138f RecreateDirectories: true Targets: @@ -12,6 +12,10 @@ Targets: Name: User Level Registry Files Category: Registry Path: RegistryHivesUser.tkape + - + Name: MSIX Application Registry Files + Category: Registry + Path: RegistryHivesMSIXApps.tkape # Documentation # Please note, this Compound Target does NOT include the RegistryHivesOther Target on purpose. While they are technically Registry hives, they are not currently identified as being forensically significant. diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index a54d93ae39..1dc0e44b16 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -1,6 +1,6 @@ Description: Composite target for files related to remote administration tools -Author: Drew Ervin, Mathias Frank, Andrew Rathbun -Version: 1.9 +Author: Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore +Version: 2.0 Id: 31cf5a4e-c44c-4457-b11f-74dca73e141b RecreateDirectories: true Targets: @@ -24,6 +24,14 @@ Targets: Name: DWAgent Category: ApplicationLogs Path: DWAgent.tkape + - + Name: ISLOnline + Category: ApplicationLogs + Path: ISLOnline.tkape + - + Name: ITarian + Category: ApplicationLogs + Path: ITarian.tkape - Name: Kaseya Category: ApplicationLogs @@ -36,10 +44,18 @@ Targets: Name: LogMeIn Category: ApplicationLogs Path: LogMeIn.tkape + - + Name: MeshAgent + Category: ApplicationLogs + Path: MeshAgent.tkape - Name: mRemoteNG Category: ApplicationLogs Path: mRemoteNG.tkape + - + Name: NetMonitor + Category: ApplicationLogs + Path: NetMonitorforEmployeesProfessional.tkape - Name: Radmin Category: ApplicationLogs @@ -81,6 +97,10 @@ Targets: Name: TeamViewer Category: ApplicationLogs Path: TeamViewerLogs.tkape + - + Name: UEMS + Category: ApplicationLogs + Path: UEMS.tkape - Name: UltraViewer Category: ApplicationLogs diff --git a/Targets/Compound/SQLiteDatabases.tkape b/Targets/Compound/SQLiteDatabases.tkape index 8c1b369cd4..b5ff6cd39b 100644 --- a/Targets/Compound/SQLiteDatabases.tkape +++ b/Targets/Compound/SQLiteDatabases.tkape @@ -61,6 +61,14 @@ Targets: Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\ FileMask: todosqlite.db* + # Apps - Robo-FTP - Robo-FTP.tkape + + - + Name: Robo-FTP Jobs + Category: Apps + Path: C:\Program Files\Robo-FTP *\ProgramData\ + FileMask: "SchedulerService.sqlite" + # Apps - TeraCopy - TeraCopy.tkape - @@ -74,6 +82,19 @@ Targets: Path: C:\Users\%user%\AppData\Roaming\TeraCopy\ FileMask: main.db + # Apps - Notion - Notion.tkape + - + Name: Notion Local Storage + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion + FileMask: 'notion.db' + # Apps - Idrive - Idrive.tkape + - + Name: IDrive Backed Up Files + Category: App + Path: C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\ + FileMask: '*.idbs' + # Cloud Storage - Dropbox - Dropbox_Metadata.tkape - diff --git a/Targets/Compound/WebBrowsers.tkape b/Targets/Compound/WebBrowsers.tkape index 8aaa631ac5..ac1fa07a31 100644 --- a/Targets/Compound/WebBrowsers.tkape +++ b/Targets/Compound/WebBrowsers.tkape @@ -36,6 +36,14 @@ Targets: Name: Brave Browser Category: Communications Path: BraveBrowser.tkape + - + Name: Yandex Browser + Category: Communications + Path: Yandex.tkape + - + Name: Vivaldi Browser + Category: Communications + Path: Vivaldi.tkape # Documentation # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_web_browsers. diff --git a/Targets/CompoundTargetGuide.guide b/Targets/CompoundTargetGuide.guide index 049a2c0938..a00315110e 100644 --- a/Targets/CompoundTargetGuide.guide +++ b/Targets/CompoundTargetGuide.guide @@ -2,14 +2,14 @@ Description: Name of application/artifact here # Required, this will be visible within gKape on the Target side under the Description colum., Author: Your name here # Required Version: 1.0 # Required, increment as revisions are made. -Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. +Id: a0bd74ff-4848-4663-8093-865394b0da97 # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. RecreateDirectories: true # Required, true means the folder structure of the artifacts will be created within the user-specified Target Destination directory. If an artifact is buried 10 folders deep on the suspect's system, it will be buried 10 folders deep within the Target Destination folder. Targets: - Name: CompoundTarget1 # Required Category: Category # Required, it is recommended to use the Category referenced within the Target file itself to keep things consistent. Path: CompoundTarget1.tkape # Required, needs to exactly match the filename of the Target you're referencing, regardless of where the Target resides. KAPE will find it as long as it exists within the Targets folder. - Comments: "Comments go here" # Optional, and rarely used in Compound Targets, this won't be included in examples below. + Comment: "Comments go here" # Optional, and rarely used in Compound Targets, this won't be included in examples below. - Name: CompoundTarget2 Category: Category diff --git a/Targets/CompoundTargetTemplate.template b/Targets/CompoundTargetTemplate.template index a2b3bd87fc..3ece9855cd 100644 --- a/Targets/CompoundTargetTemplate.template +++ b/Targets/CompoundTargetTemplate.template @@ -1,14 +1,14 @@ Description: Name of application/artifact here # Required Author: Your name here # Required Version: 1.0 # Required -Id: Unique GUID here # Required +Id: 89a28b16-15b1-476a-bd17-e3ba2602d5e0 # Required RecreateDirectories: true # Required Targets: - Name: CompoundTarget1 # Required Category: Category # Required Path: CompoundTarget1.tkape # Required - Comments: "Comments go here" # Optional + Comment: "Comments go here" # Optional - Name: CompoundTarget2 Category: Category diff --git a/Targets/Logs/PowerShellConsole.tkape b/Targets/Logs/PowerShellConsole.tkape index f2872ee006..e448025091 100644 --- a/Targets/Logs/PowerShellConsole.tkape +++ b/Targets/Logs/PowerShellConsole.tkape @@ -1,6 +1,6 @@ Description: PowerShell Console Log File -Author: Mike Cary -Version: 1.1 +Author: Mike Cary, 2thewes, Vikas Singh +Version: 1.2 Id: efa4332a-89eb-430c-ab61-006a9e6620d7 RecreateDirectories: true Targets: @@ -9,8 +9,29 @@ Targets: Category: PowerShellConsoleLog Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ FileMask: '*_history.txt' + - + Name: PowerShell Console Log Systemprofile + Category: PowerShellConsoleLog + Path: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ + FileMask: '*_history.txt' + - + Name: PowerShell Console Log WOW64 Systemprofile + Category: PowerShellConsoleLog + Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ + FileMask: '*_history.txt' + - + Name: PowerShell ISE - AutoSave Files + Category: PowerShellConsoleLog + Path: C:\Users\%user%\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles\ + FileMask: '*.ps1' + - + Name: PowerShell ISE - User Config + Category: PowerShellConsoleLog + Path: C:\Users\%user%\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\ + FileMask: '*.config' # Documentation +# https://vikas-singh.notion.site/PowerShell-Command-History-Forensics-81a35c4f0b824c2b95c28f98134d49a4?pvs=4 # https://community.sophos.com/malware/b/blog/posts/powershell-command-history-forensics # https://darizotas.blogspot.com/2018/10/forensics-powershell-artifacts.html # https://digital-forensics.sans.org/media/DFPS_FOR508_v4.4_1-19.pdf diff --git a/Targets/P2P/eMule.tkape b/Targets/P2P/eMule.tkape new file mode 100644 index 0000000000..48511a29fd --- /dev/null +++ b/Targets/P2P/eMule.tkape @@ -0,0 +1,29 @@ +Description: eMule +Author: Fábio Melo Pfeifer +Version: 1.0 +Id: dd4d5575-46aa-4618-9ecf-f8f9d7271b0c +RecreateDirectories: true +Targets: + - + Name: eMule Logs and Configuration Files + Category: FileDownload + Path: C:\Users\%user%\AppData\Local\eMule\ + Recursive: true + Comment: "Locates eMule logs and configuration files and copies them." + + - + Name: eMule part.met files + Category: FileDownload + Path: C:\ + FileMask: '*.part.met' + Recursive: true + Comment: "Locates eMule *.part.met files and copies them." + +# Documentation +# https://www.researchgate.net/publication/269080208_Identificacao_de_Artefatos_Periciais_do_eMule +# eMule is a file-sharing client which supports the eDonkey protocol. +# Logs are stored in .met format and must be viewed in a hex editor or parsed using a specific parser. +# known.met within the configuration folder will contain information on downloaded and uploaded files. +# AC_SearchStrings.dat contains searches conducted by the user. +# A .part.met file contains information about a current download. +# TKape was created for version 0.50a. diff --git a/Targets/README.md b/Targets/README.md index c514174a19..ef8c4dfe94 100644 --- a/Targets/README.md +++ b/Targets/README.md @@ -20,7 +20,7 @@ The Browsers folder contains Targets for web browsers. ### Compound -The Compund folder contains Targets that point to other Targets. +The Compound folder contains Targets that point to other Targets. ### Logs diff --git a/Targets/Windows/AppCompatPCA.tkape b/Targets/Windows/AppCompatPCA.tkape index 801411102e..59439d823b 100644 --- a/Targets/Windows/AppCompatPCA.tkape +++ b/Targets/Windows/AppCompatPCA.tkape @@ -10,6 +10,8 @@ Targets: Path: C:\Windows\appcompat\pca # Documentation +# https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/ +# https://blog.sygnia.co/diving-into-the-new-windows-11-pca-artifact # Credit to rancio#4162 on the Digital Forensics Discord Server who noticed this artifact - https://discord.com/channels/427876741990711298/427936091220344833/1057680326484299786 # This artifact appears to be on Windows 11 only and will comprise of the following files: # C:\Windows\appcompat\pca\PcaAppLaunchDic.txt diff --git a/Targets/Windows/AssetAdvisorLog.tkape b/Targets/Windows/AssetAdvisorLog.tkape deleted file mode 100644 index 67f32b4b41..0000000000 --- a/Targets/Windows/AssetAdvisorLog.tkape +++ /dev/null @@ -1,16 +0,0 @@ -Description: Asset Advisor Log -Author: Andrew Rathbun -Version: 1.0 -Id: 700413f8-703b-44fb-9192-8830ac84b6b0 -RecreateDirectories: true -Targets: - - - Name: Asset Advisor Log - Category: Executables - Path: C:\Windows\CCM\Logs\AssetAdvisor.log - FileMask: EncapsulationLogging.hve - -# Documentation -# I have seen reference to malicious binaries associated with a user in this log -# Sample log entry -# ]LOG]!> diff --git a/Targets/Windows/CertUtil.tkape b/Targets/Windows/CertUtil.tkape index e7a207176d..a5f2f519e2 100644 --- a/Targets/Windows/CertUtil.tkape +++ b/Targets/Windows/CertUtil.tkape @@ -1,6 +1,6 @@ Description: Certutil -Author: NVISO (@NVISOsecurity) -Version: 1.0 +Author: NVISO (@NVISOsecurity), 2thewes +Version: 1.1 Id: ec903d15-64b5-4484-8786-94b2ad90bfb7 RecreateDirectories: true Targets: @@ -9,6 +9,11 @@ Targets: Category: FileKnowledge Path: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\ Recursive: true + - + Name: System WOW64 CryptnetUrlCache + Category: FileKnowledge + Path: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\ + Recursive: true - Name: User CryptnetUrlCache Category: FileKnowledge diff --git a/Targets/Windows/ExchangeSetupLog.tkape b/Targets/Windows/ExchangeSetupLog.tkape new file mode 100644 index 0000000000..782a50cdb2 --- /dev/null +++ b/Targets/Windows/ExchangeSetupLog.tkape @@ -0,0 +1,16 @@ +Description: Exchange Setup Log +Author: 2thewes +Version: 1.0 +Id: 8becbf27-06bf-460c-a582-868db54359bf +RecreateDirectories: true +Targets: + - + Name: Exchange Setup Log file + Category: Logs + Path: C:\ExchangeSetupLogs\ + FileMask: "ExchangeSetup.log" + Comment: "The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration." + +# Documentation +# https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/verify-installation#review-the-windows-application-log-and-the-exchange-setup-log +# https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ diff --git a/Targets/Apps/ExchangeTransport.tkape b/Targets/Windows/ExchangeTransport.tkape similarity index 100% rename from Targets/Apps/ExchangeTransport.tkape rename to Targets/Windows/ExchangeTransport.tkape diff --git a/Targets/Windows/HostsFile.tkape b/Targets/Windows/HostsFile.tkape new file mode 100644 index 0000000000..0ce3118b34 --- /dev/null +++ b/Targets/Windows/HostsFile.tkape @@ -0,0 +1,14 @@ +Description: Hosts file +Author: Max Zabuty +Version: 1.0 +Id: 6f045c9b-5d0c-42ec-ab09-050b9853a5e9 +RecreateDirectories: true +Targets: + - + Name: HostsFile + Category: HostsFile + Path: C:\Windows\System32\drivers\etc\ + FileMask: 'Hosts' + +# Documentation +# N/A diff --git a/Targets/Windows/IconCacheDB.tkape b/Targets/Windows/IconCacheDB.tkape new file mode 100644 index 0000000000..1af172457d --- /dev/null +++ b/Targets/Windows/IconCacheDB.tkape @@ -0,0 +1,14 @@ +Description: IconCache.db files +Author: Herbert Bärschneider @SEC Consult +Version: 1.0 +Id: 4e447ad0-4fda-44f6-9f82-1ae9ac47a8d4 +RecreateDirectories: true +Targets: + - + Name: Windows IconCache DB + Category: IconCache + Path: C:\Users\%user%\AppData\Local\ + FileMask: IconCache.db + +# Documentation +# https://www.sciencedirect.com/science/article/abs/pii/S1742287614000607 diff --git a/Targets/Windows/JumpLists.tkape b/Targets/Windows/JumpLists.tkape new file mode 100644 index 0000000000..ec8cbae5db --- /dev/null +++ b/Targets/Windows/JumpLists.tkape @@ -0,0 +1,20 @@ +Description: Jump lists +Author: Max Zabuty +Version: 1 +Id: 2e354bdc-e418-438e-8439-c21c83c64e11 +RecreateDirectories: true +Targets: + - + Name: JumpLists from CustomDestinations + Category: JumpLists + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ + Recursive: true + - + Name: JumpLists from CustomDestinations + Category: JumpLists + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ + Recursive: true + +# Documentation +# https://www.forensafe.com/blogs/jumplist.html +# https://dfir.pubpub.org/pub/wfuxlu9v/release/1 diff --git a/Targets/Windows/Notepad.tkape b/Targets/Windows/Notepad.tkape index db58b4a70e..2836d592ab 100644 --- a/Targets/Windows/Notepad.tkape +++ b/Targets/Windows/Notepad.tkape @@ -7,7 +7,7 @@ Targets: - Name: Notepad Session Files Category: Windows Notepad - Path: C:\Users\%user%Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState FileMask: "*.bin" Comment: "Contains .bin files which consist of the files opened in each tab in Windows Notepad" diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape new file mode 100644 index 0000000000..a91bb0eae4 --- /dev/null +++ b/Targets/Windows/PerfLogs.tkape @@ -0,0 +1,14 @@ +Description: Perflogs Folder Copy +Author: Vito Alfano +Version: 1.0 +Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 +RecreateDirectories: true +Targets: + - + Name: Perflogs + Category: Application + Path: C:\PerfLogs\ + Recursive: true + +# Documentation +# N/A diff --git a/Targets/Windows/PowerShellTranscripts.tkape b/Targets/Windows/PowerShellTranscripts.tkape index 7443b2b78f..d4bc594c55 100644 --- a/Targets/Windows/PowerShellTranscripts.tkape +++ b/Targets/Windows/PowerShellTranscripts.tkape @@ -1,12 +1,17 @@ Description: PowerShell Transcripts Author: Andrew Rathbun and Chad Tilbury -Version: 1.0 +Version: 1.1 Id: 316cd490-7a40-4518-aade-1de070191f3d RecreateDirectories: true Targets: - Name: PowerShell Transcripts - Default Location Category: PowerShellTranscripts + Path: C:\Users\%user%\Documents\ + FileMask: 'PowerShell_transcript.*.txt' + - + Name: PowerShell Transcripts - Observed Location + Category: PowerShellTranscripts Path: C:\Users\%user%\Documents\20*\ FileMask: 'PowerShell_transcript.*.txt' - @@ -26,9 +31,11 @@ Targets: FileMask: 'PowerShell_transcript.*.txt' # Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript # https://lazyadmin.nl/powershell/start-transcript/ # https://www.stigviewer.com/stig/windows_10/2021-03-10/finding/V-230220 # https://www.itprotoday.com/powershell/how-use-automatic-powershell-transcription +# https://artefacts.help/windows_powershell_transcript.html # These logs appears when auditing is turned on via Group Policy or Start-Transcript is used during PowerShell execution # As more locations are observed, they will be added here -# Example location (default): c:\users\name\documents\20220301\PowerShell_transcript.DEVICENAME.qp9EOTN2.20220301132612.txt +# Example location: C:\Users\USERNAME\Documents\20220301\PowerShell_transcript.DEVICENAME.qp9EOTN2.20220301132612.txt diff --git a/Targets/Windows/ProgramData.tkape b/Targets/Windows/ProgramData.tkape new file mode 100644 index 0000000000..4c6985ed29 --- /dev/null +++ b/Targets/Windows/ProgramData.tkape @@ -0,0 +1,14 @@ +Description: ProgramData Folder Copy +Author: Vito Alfano +Version: 1.0 +Id: 4f1c3500-57cf-4c34-9ede-434c193a2c77 +RecreateDirectories: true +Targets: + - + Name: ProgramData + Category: Application Data + Path: C:\ProgramData\ + Recursive: true + +# Documentation +# N/A diff --git a/Targets/Windows/PushNotification.tkape b/Targets/Windows/PushNotification.tkape index 180c78c0b5..91bd4b9cb5 100644 --- a/Targets/Windows/PushNotification.tkape +++ b/Targets/Windows/PushNotification.tkape @@ -7,12 +7,12 @@ Targets: - Name: WNS Category: WNS - Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\ + Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\ FileMask: appdb.dat - Name: WNS Category: WNS - Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\ + Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\ FileMask: wpndatabase.db # Documentation diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape new file mode 100644 index 0000000000..d811de9fc1 --- /dev/null +++ b/Targets/Windows/RDPJumplist.tkape @@ -0,0 +1,14 @@ +Description: RDP Jumplist Files +Author: Vito Alfano +Version: 1.0 +Id: da62b852-7af2-4882-ac83-ff3e142da2ef +RecreateDirectories: true +Targets: + - + Name: RDP Jumplist Files + Category: FileSystem + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ + Recursive: true + +# Documentation +# https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ diff --git a/Targets/Windows/RecentFolders.tkape b/Targets/Windows/RecentFolders.tkape new file mode 100644 index 0000000000..037b83091d --- /dev/null +++ b/Targets/Windows/RecentFolders.tkape @@ -0,0 +1,19 @@ +Description: Recent Folders LNK files +Author: Max Zabuty +Version: 1 +Id: 103c8de7-3303-41ea-98d5-35ea1a3ae1ae +RecreateDirectories: true +Targets: + - + Name: LNK Files from Recent + Category: File and Folder Usage + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\ + Recursive: true + - + Name: LNK Files from Microsoft Office Recent + Category: File and Folder Usage + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Office\Recent\ + Recursive: true + +# Documentation +# https://www.cybertriage.com/artifact/windows-recents-folder-artifact/ diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape new file mode 100644 index 0000000000..3ec369431e --- /dev/null +++ b/Targets/Windows/SCCMClientLogs.tkape @@ -0,0 +1,18 @@ +Description: SCCM Client Log Files +Author: Andrew Rathbun +Version: 1.0 +Id: 700413f8-703b-44fb-9192-8830ac84b6b0 +RecreateDirectories: true +Targets: + - + Name: SCCM Client Log Files + Category: Logs + Path: C:\Windows\CCM\Logs + +# Documentation +# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/about-log-files#locating-log-files +# Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948 +# +# I have seen reference to malicious binaries associated with a user in a log found in this folder +# Sample log entry: +# ]LOG]!> diff --git a/Targets/Windows/StartupFolders.tkape b/Targets/Windows/StartupFolders.tkape index 18acfcdcf2..19f6388e78 100644 --- a/Targets/Windows/StartupFolders.tkape +++ b/Targets/Windows/StartupFolders.tkape @@ -7,11 +7,11 @@ Targets: - Name: User startup folders Category: Persistence - Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs - Name: System-wide startup folder Category: Persistence - Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp + Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs # Documentation # https://attack.mitre.org/techniques/T1547/001/ diff --git a/Targets/Windows/UsersFolders.tkape b/Targets/Windows/UsersFolders.tkape new file mode 100644 index 0000000000..1873b135bb --- /dev/null +++ b/Targets/Windows/UsersFolders.tkape @@ -0,0 +1,14 @@ +Description: Users folders Dump +Author: Vito Alfano +Version: 1.0 +Id: 0eb51e6a-1286-42fe-bfdc-401356003395 +RecreateDirectories: true +Targets: + - + Name: Users + Category: Application + Path: C:\Users\%user%\ + Recursive: true + +# Documentation +# N/A diff --git a/Targets/Windows/WindowsCopilotRecall.tkape b/Targets/Windows/WindowsCopilotRecall.tkape new file mode 100644 index 0000000000..9ebf96414a --- /dev/null +++ b/Targets/Windows/WindowsCopilotRecall.tkape @@ -0,0 +1,17 @@ +Description: Windows Copilot+ Recall +Author: Zach Stanford/Phill Moore +Version: 1.0 +Id: 333b716c-468e-48e7-960b-248526029dda +RecreateDirectories: true +Targets: + - + Name: Recall folder + Category: FileKnowledge + Path: C:\Users\*\AppData\Local\CoreAIPlatform.00\UKP\ + Recursive: true + +# Documentation +# Files and folder related to Copilot+ Recall +# https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e +# https://cybercx.com.au/blog/forensic-applications-of-microsoft-recall/ +# https://github.com/xaitax/TotalRecall diff --git a/Targets/Windows/WindowsTimeline.tkape b/Targets/Windows/WindowsTimeline.tkape index 174c4f547a..1b97ccac0e 100644 --- a/Targets/Windows/WindowsTimeline.tkape +++ b/Targets/Windows/WindowsTimeline.tkape @@ -1,13 +1,14 @@ Description: ActivitiesCache.db collector -Author: Lee Whitfield -Version: 1.0 +Author: Lee Whitfield, Thomas DIOT (Qazeer) +Version: 1.1 Id: 8315040f-c9a4-455a-b02c-96372583f436 RecreateDirectories: true Targets: - Name: ActivitiesCache.db Category: FileFolderAccess - Path: C:\Users\%user%\AppData\Local\ConnectedDevicesPlatform\*\ + Path: C:\Users\%user%\AppData\Local\ConnectedDevicesPlatform\ + Recursive: true FileMask: ActivitiesCache.db* # Documentation