From 3f6616c5d2fc9ff5222effda265839c0fdc49bd1 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:14:04 -0500 Subject: [PATCH 001/146] Update AppCompatPCA.tkape add documentation --- Targets/Windows/AppCompatPCA.tkape | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Targets/Windows/AppCompatPCA.tkape b/Targets/Windows/AppCompatPCA.tkape index 801411102..59439d823 100644 --- a/Targets/Windows/AppCompatPCA.tkape +++ b/Targets/Windows/AppCompatPCA.tkape @@ -10,6 +10,8 @@ Targets: Path: C:\Windows\appcompat\pca # Documentation +# https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/ +# https://blog.sygnia.co/diving-into-the-new-windows-11-pca-artifact # Credit to rancio#4162 on the Digital Forensics Discord Server who noticed this artifact - https://discord.com/channels/427876741990711298/427936091220344833/1057680326484299786 # This artifact appears to be on Windows 11 only and will comprise of the following files: # C:\Windows\appcompat\pca\PcaAppLaunchDic.txt From 326ef5647b337b6eb855d08d17cf77fd0e898a15 Mon Sep 17 00:00:00 2001 From: chadtilbury Date: Mon, 4 Dec 2023 20:25:36 -0700 Subject: [PATCH 002/146] Update RegistryHives.tkape --- Targets/Compound/RegistryHives.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/RegistryHives.tkape b/Targets/Compound/RegistryHives.tkape index c8b7db41b..a4dc93413 100644 --- a/Targets/Compound/RegistryHives.tkape +++ b/Targets/Compound/RegistryHives.tkape @@ -12,6 +12,10 @@ Targets: Name: User Level Registry Files Category: Registry Path: RegistryHivesUser.tkape + - + Name: MSIX Application Registry Files + Category: Registry + Path: RegistryHivesMSIXApps.tkape # Documentation # Please note, this Compound Target does NOT include the RegistryHivesOther Target on purpose. While they are technically Registry hives, they are not currently identified as being forensically significant. From fdc42f95fb898732164b0ba1d13c3e08a7dec201 Mon Sep 17 00:00:00 2001 From: chadtilbury Date: Mon, 4 Dec 2023 20:27:58 -0700 Subject: [PATCH 003/146] Update Version --- Targets/Compound/RegistryHives.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Compound/RegistryHives.tkape b/Targets/Compound/RegistryHives.tkape index a4dc93413..8e1ca14e6 100644 --- a/Targets/Compound/RegistryHives.tkape +++ b/Targets/Compound/RegistryHives.tkape @@ -1,6 +1,6 @@ Description: System and user related Registry hives Author: Eric Zimmerman -Version: 1.1 +Version: 1.2 Id: 76af6086-bd0b-429f-bfd7-4a8e8ff8138f RecreateDirectories: true Targets: From c1c544ec78df8ab91c62dcf033a859454918402c Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 5 Dec 2023 09:50:24 -0500 Subject: [PATCH 004/146] Update Notepad.tkape added missing backslash --- Targets/Windows/Notepad.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/Notepad.tkape b/Targets/Windows/Notepad.tkape index db58b4a70..1915536d0 100644 --- a/Targets/Windows/Notepad.tkape +++ b/Targets/Windows/Notepad.tkape @@ -7,7 +7,7 @@ Targets: - Name: Notepad Session Files Category: Windows Notepad - Path: C:\Users\%user%Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState + Path: C:\Users\%user%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState FileMask: "*.bin" Comment: "Contains .bin files which consist of the files opened in each tab in Windows Notepad" From 3a326acca473955e57cd6d45cddb36c6e8d06f1b Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:33:20 -0500 Subject: [PATCH 005/146] Update Notepad.tkape add msising Local\AppData to path --- Targets/Windows/Notepad.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/Notepad.tkape b/Targets/Windows/Notepad.tkape index 1915536d0..994ec0f85 100644 --- a/Targets/Windows/Notepad.tkape +++ b/Targets/Windows/Notepad.tkape @@ -7,7 +7,7 @@ Targets: - Name: Notepad Session Files Category: Windows Notepad - Path: C:\Users\%user%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState + Path: C:\Users\%user%\Local\AppData\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState FileMask: "*.bin" Comment: "Contains .bin files which consist of the files opened in each tab in Windows Notepad" From 205e8390c54c487552f22391fcd2780b504e8ed0 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:34:06 -0500 Subject: [PATCH 006/146] Update Notepad.tkape woops, reverse it --- Targets/Windows/Notepad.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/Notepad.tkape b/Targets/Windows/Notepad.tkape index 994ec0f85..2836d592a 100644 --- a/Targets/Windows/Notepad.tkape +++ b/Targets/Windows/Notepad.tkape @@ -7,7 +7,7 @@ Targets: - Name: Notepad Session Files Category: Windows Notepad - Path: C:\Users\%user%\Local\AppData\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState FileMask: "*.bin" Comment: "Contains .bin files which consist of the files opened in each tab in Windows Notepad" From fdc6077a2b0d48151eef4a4e840990bf1e4274f2 Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Mon, 25 Dec 2023 18:22:21 +1100 Subject: [PATCH 007/146] Update SRUMDump.mkape --- Modules/Apps/GitHub/SRUMDump.mkape | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Apps/GitHub/SRUMDump.mkape b/Modules/Apps/GitHub/SRUMDump.mkape index 6c4acf70b..c234d044f 100644 --- a/Modules/Apps/GitHub/SRUMDump.mkape +++ b/Modules/Apps/GitHub/SRUMDump.mkape @@ -1,14 +1,14 @@ Description: 'SRUM-dump: Dump contents of the SRUM database' Category: SystemActivity Author: Brian Maloney, Jay Houlden, Vito Alfano -Version: 1.2 +Version: 1.3 Id: 74ee622c-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.5/srum_dump2.exe +BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.6/srum_dump2.6.exe ExportFormat: xlsx Processors: - - Executable: srum_dump2.exe - CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\sdrum_dump_result.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet + Executable: srum_dump.exe + CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\srum_dump_result.xlsx --XLSX_TEMPLATE SRUM_TEMPLATE3.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet ExportFormat: xlsx # Documentation From 441b792ff846e078aaab90ef2b4ca867333ec705 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 28 Dec 2023 15:49:49 +0100 Subject: [PATCH 008/146] Create Megasync.tkape --- Targets/Apps/Megasync.tkape | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 Targets/Apps/Megasync.tkape diff --git a/Targets/Apps/Megasync.tkape b/Targets/Apps/Megasync.tkape new file mode 100644 index 000000000..887e5ebda --- /dev/null +++ b/Targets/Apps/Megasync.tkape @@ -0,0 +1,14 @@ +Description: MegaSync Data Collection +Author: Vito Alfano +Version: 1.0 +Id: a6c7f66e-b37c-4895-98c3-4eb9775623cf +RecreateDirectories: true +Targets: + - + Name: MegaSync Folder + Category: ApplicationLogs + Path: C:\Users\%user%\AppData\Local\Mega Limited\MEGAsync\ + Recursive: true + +# Documentation +# N/A From cdf28a6c0bf842311e87c646e78bc3e243536dcc Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:11:02 +0100 Subject: [PATCH 009/146] Create ProgramData.tkape --- Targets/Windows/ProgramData.tkape | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Targets/Windows/ProgramData.tkape diff --git a/Targets/Windows/ProgramData.tkape b/Targets/Windows/ProgramData.tkape new file mode 100644 index 000000000..c3cd6fafb --- /dev/null +++ b/Targets/Windows/ProgramData.tkape @@ -0,0 +1,13 @@ +Description: ProgramData Folder Copy +Author: Vito Alfano +Version: 1.0 +Id: 4f1c3500-57cf-4c34-9ede-434c193a2c77 +RecreateDirectories: true +Targets: + - + Name: Perflogs + Category: Application Data + Path: C:\ProgramData\ + Recursive: true + +# N/A From 24991e6a76a4d76436ad5f22c734cbf0e01f7fef Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:12:45 +0100 Subject: [PATCH 010/146] Create PerfLogs.tkape --- Targets/Windows/PerfLogs.tkape | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Targets/Windows/PerfLogs.tkape diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape new file mode 100644 index 000000000..8d3d838af --- /dev/null +++ b/Targets/Windows/PerfLogs.tkape @@ -0,0 +1,13 @@ +Description: Perflog Folder Copy +Author: Vito Alfano +Version: 1.0 +Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 +RecreateDirectories: true +Targets: + - + Name: Perflogs + Category: Application + Path: C:\PerfLogs\ + Recursive: true + +# N/A From fd2834d89fba71263d74bfefe97b06d0c5ee648d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 28 Dec 2023 11:13:26 -0500 Subject: [PATCH 011/146] Update ProgramData.tkape --- Targets/Windows/ProgramData.tkape | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Targets/Windows/ProgramData.tkape b/Targets/Windows/ProgramData.tkape index c3cd6fafb..349475248 100644 --- a/Targets/Windows/ProgramData.tkape +++ b/Targets/Windows/ProgramData.tkape @@ -5,9 +5,10 @@ Id: 4f1c3500-57cf-4c34-9ede-434c193a2c77 RecreateDirectories: true Targets: - - Name: Perflogs + Name: ProgramData Category: Application Data Path: C:\ProgramData\ Recursive: true +# Documentation # N/A From 109b833e5e5da002539e6b69c41d39896534a40d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 28 Dec 2023 11:13:51 -0500 Subject: [PATCH 012/146] Update PerfLogs.tkape --- Targets/Windows/PerfLogs.tkape | 1 + 1 file changed, 1 insertion(+) diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape index 8d3d838af..ece7c2721 100644 --- a/Targets/Windows/PerfLogs.tkape +++ b/Targets/Windows/PerfLogs.tkape @@ -10,4 +10,5 @@ Targets: Path: C:\PerfLogs\ Recursive: true +# Documentation # N/A From 8b96dd04fd45c2aae094375760ab2b3bee0f1db9 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:14:51 +0100 Subject: [PATCH 013/146] Update ProgramData.tkape From 4e6700f8a35f070d315e31b55937143fbe09211a Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 28 Dec 2023 17:17:09 +0100 Subject: [PATCH 014/146] Update PerfLogs.tkape --- Targets/Windows/PerfLogs.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape index ece7c2721..072b9e171 100644 --- a/Targets/Windows/PerfLogs.tkape +++ b/Targets/Windows/PerfLogs.tkape @@ -1,7 +1,7 @@ Description: Perflog Folder Copy Author: Vito Alfano Version: 1.0 -Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 +Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 RecreateDirectories: true Targets: - From 48be271a50babfb95f872bdf3761bdfdea8b23ea Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 28 Dec 2023 11:20:17 -0500 Subject: [PATCH 015/146] Update PerfLogs.tkape --- Targets/Windows/PerfLogs.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape index 072b9e171..ad3ea389d 100644 --- a/Targets/Windows/PerfLogs.tkape +++ b/Targets/Windows/PerfLogs.tkape @@ -1,4 +1,4 @@ -Description: Perflog Folder Copy +Description: Perflogs Folder Copy Author: Vito Alfano Version: 1.0 Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 From fc42f298bef9b9ae520934b9664fbd0598208482 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 28 Dec 2023 11:26:38 -0500 Subject: [PATCH 016/146] Update PerfLogs.tkape --- Targets/Windows/PerfLogs.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/PerfLogs.tkape b/Targets/Windows/PerfLogs.tkape index ad3ea389d..a91bb0eae 100644 --- a/Targets/Windows/PerfLogs.tkape +++ b/Targets/Windows/PerfLogs.tkape @@ -1,7 +1,7 @@ Description: Perflogs Folder Copy Author: Vito Alfano Version: 1.0 -Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 +Id: b87302c9-fe0e-4d07-9f9f-64c5b73c80a2 RecreateDirectories: true Targets: - From 9b367b75f97ffc87688e4a5ce60e98dfabb994c5 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 28 Dec 2023 11:26:49 -0500 Subject: [PATCH 017/146] Update ProgramData.tkape --- Targets/Windows/ProgramData.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/ProgramData.tkape b/Targets/Windows/ProgramData.tkape index 349475248..4c6985ed2 100644 --- a/Targets/Windows/ProgramData.tkape +++ b/Targets/Windows/ProgramData.tkape @@ -1,7 +1,7 @@ Description: ProgramData Folder Copy Author: Vito Alfano Version: 1.0 -Id: 4f1c3500-57cf-4c34-9ede-434c193a2c77 +Id: 4f1c3500-57cf-4c34-9ede-434c193a2c77 RecreateDirectories: true Targets: - From 2f2f965d93417bc1e5a1079ebbc64d54148bccaf Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Tue, 2 Jan 2024 16:28:05 +0100 Subject: [PATCH 018/146] Create UsersFolders --- Targets/Windows/UsersFolders | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 Targets/Windows/UsersFolders diff --git a/Targets/Windows/UsersFolders b/Targets/Windows/UsersFolders new file mode 100644 index 000000000..d844c2755 --- /dev/null +++ b/Targets/Windows/UsersFolders @@ -0,0 +1,14 @@ +Description: Users folders Dump +Author: Vito Alfano +Version: 1.0 +Id: 0eb51e6a-1286-42fe-bfdc-401356003395 +RecreateDirectories: true +Targets: + - + Name: Users + Category: Application + Path: C:\Users\ + Recursive: true + +# Documentation +# N/A From 30fbaf6a325a471e024e4d910de0393a4a8ac60b Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Tue, 2 Jan 2024 16:56:07 +0100 Subject: [PATCH 019/146] Update UsersFolders --- Targets/Windows/UsersFolders | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/UsersFolders b/Targets/Windows/UsersFolders index d844c2755..1873b135b 100644 --- a/Targets/Windows/UsersFolders +++ b/Targets/Windows/UsersFolders @@ -7,7 +7,7 @@ Targets: - Name: Users Category: Application - Path: C:\Users\ + Path: C:\Users\%user%\ Recursive: true # Documentation From 3d74f6f4b17c1d803946e3c5a7cdd7847fda27c9 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 17 Jan 2024 13:11:34 -0500 Subject: [PATCH 020/146] Comments -> Comment in Target Guide/Template --- Targets/CompoundTargetGuide.guide | 2 +- Targets/CompoundTargetTemplate.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/CompoundTargetGuide.guide b/Targets/CompoundTargetGuide.guide index 049a2c093..cfcdf2f4a 100644 --- a/Targets/CompoundTargetGuide.guide +++ b/Targets/CompoundTargetGuide.guide @@ -9,7 +9,7 @@ Targets: Name: CompoundTarget1 # Required Category: Category # Required, it is recommended to use the Category referenced within the Target file itself to keep things consistent. Path: CompoundTarget1.tkape # Required, needs to exactly match the filename of the Target you're referencing, regardless of where the Target resides. KAPE will find it as long as it exists within the Targets folder. - Comments: "Comments go here" # Optional, and rarely used in Compound Targets, this won't be included in examples below. + Comment: "Comments go here" # Optional, and rarely used in Compound Targets, this won't be included in examples below. - Name: CompoundTarget2 Category: Category diff --git a/Targets/CompoundTargetTemplate.template b/Targets/CompoundTargetTemplate.template index a2b3bd87f..0da5fffc2 100644 --- a/Targets/CompoundTargetTemplate.template +++ b/Targets/CompoundTargetTemplate.template @@ -8,7 +8,7 @@ Targets: Name: CompoundTarget1 # Required Category: Category # Required Path: CompoundTarget1.tkape # Required - Comments: "Comments go here" # Optional + Comment: "Comments go here" # Optional - Name: CompoundTarget2 Category: Category From ea2ed18fa3e70b510d455a6449ab8ce5658c789f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 17 Jan 2024 13:15:39 -0500 Subject: [PATCH 021/146] update GUIDs --- Modules/CompoundModuleGuide.guide | 2 +- Modules/CompoundModuleTemplate.template | 2 +- Targets/CompoundTargetGuide.guide | 2 +- Targets/CompoundTargetTemplate.template | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide index e42885782..de125ea21 100644 --- a/Modules/CompoundModuleGuide.guide +++ b/Modules/CompoundModuleGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module +Id: b407d036-eef7-47ba-bd82-5fd5785e1af8 # Required, unique GUID is required for every KAPE Target/Module BinaryUrl: https://url.goes.here.com # Required ExportFormat: csv # Required FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template index 52a1be753..bcebf7544 100644 --- a/Modules/CompoundModuleTemplate.template +++ b/Modules/CompoundModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Targets/CompoundTargetGuide.guide b/Targets/CompoundTargetGuide.guide index cfcdf2f4a..a00315110 100644 --- a/Targets/CompoundTargetGuide.guide +++ b/Targets/CompoundTargetGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required, this will be visible within gKape on the Target side under the Description colum., Author: Your name here # Required Version: 1.0 # Required, increment as revisions are made. -Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. +Id: a0bd74ff-4848-4663-8093-865394b0da97 # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. RecreateDirectories: true # Required, true means the folder structure of the artifacts will be created within the user-specified Target Destination directory. If an artifact is buried 10 folders deep on the suspect's system, it will be buried 10 folders deep within the Target Destination folder. Targets: - diff --git a/Targets/CompoundTargetTemplate.template b/Targets/CompoundTargetTemplate.template index 0da5fffc2..3ece9855c 100644 --- a/Targets/CompoundTargetTemplate.template +++ b/Targets/CompoundTargetTemplate.template @@ -1,7 +1,7 @@ Description: Name of application/artifact here # Required Author: Your name here # Required Version: 1.0 # Required -Id: Unique GUID here # Required +Id: 89a28b16-15b1-476a-bd17-e3ba2602d5e0 # Required RecreateDirectories: true # Required Targets: - From a93ad760d625516813b26b967e9f94f4d68d9d62 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Wed, 31 Jan 2024 12:48:55 +0100 Subject: [PATCH 022/146] Add Mplog-Parser to parse Windows Defender MPLog --- Modules/Apps/GitHub/Mplog-Parser.mkape | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 Modules/Apps/GitHub/Mplog-Parser.mkape diff --git a/Modules/Apps/GitHub/Mplog-Parser.mkape b/Modules/Apps/GitHub/Mplog-Parser.mkape new file mode 100644 index 000000000..bad3401b9 --- /dev/null +++ b/Modules/Apps/GitHub/Mplog-Parser.mkape @@ -0,0 +1,21 @@ +Description: 'Mplog-Parser: parses Microsoft Protection log files into CSV files' +Category: Antivirus +Author: Thomas DIOT (Qazeer) +Version: 1.0 +Id: 6084c8ab-2059-41a4-89f4-dba2cfdb4bb4 +BinaryUrl: https://github.com/Qazeer/mplog_parser-compiled/releases/download/v1.0/mplog_parser.exe +ExportFormat: csv +Processors: + - + Executable: mplog_parser.exe + CommandLine: -d "%SourceDirectory%\ProgramData\Microsoft\Windows Defender\Support" -o "%destinationDirectory%" + ExportFormat: csv + +# Documentation +# Mplog-Parser parses Microsoft Protection log files into a number of CSV files. +# mplog_parser source: https://github.com/Intrinsec/mplog_parser +# Compiled version: https://github.com/Qazeer/mplog_parser-compiled +# Information on Windows Defender MPLog: +# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/ +# https://www.intrinsec.com/hunt-mplogs/ +# https://artefacts.help/windows_defender_support_logs.html From 274691d20893c0f895301f50ca718fbf66f2d760 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Thu, 1 Feb 2024 00:06:20 +0100 Subject: [PATCH 023/146] Add the no wizard flag for new hayabusa version --- Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape b/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape index d7dc1b5df..d98ea53ca 100644 --- a/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape +++ b/Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape @@ -1,14 +1,14 @@ Description: Hayabusa a timeline generator for Windows event logs - Offline Category: EventLogs Author: Georg Lauenstein (sure[secure]) -Version: 1.3 +Version: 1.4 Id: 49f9cd2d-3da5-4349-a9aa-c2b450582ccc BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases ExportFormat: csv Processors: - Executable: hayabusa\hayabusa.exe - CommandLine: csv-timeline -d %sourceDirectory% --profile standard --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv + CommandLine: csv-timeline -d %sourceDirectory% --profile standard -w --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv ExportFormat: csv # Documentation From ee02bc7d69f2e7d39cf07a9c27d10cddacea831c Mon Sep 17 00:00:00 2001 From: Hyun Yi Date: Sun, 11 Feb 2024 20:56:53 +0900 Subject: [PATCH 024/146] argument specification has been changed --- Modules/Apps/NTFSLogTracker_$J.mkape | 2 +- Modules/Apps/NTFSLogTracker_$LogFile.mkape | 8 ++++---- Modules/Compound/NTFSLogTracker.mkape | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Modules/Apps/NTFSLogTracker_$J.mkape b/Modules/Apps/NTFSLogTracker_$J.mkape index 5fb2f306d..57cad27b3 100644 --- a/Modules/Apps/NTFSLogTracker_$J.mkape +++ b/Modules/Apps/NTFSLogTracker_$J.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Hyun Yi @hyuunnn and Vito Alfano Version: 1.1 Id: 74ee5d04-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 FileMask: $J Processors: diff --git a/Modules/Apps/NTFSLogTracker_$LogFile.mkape b/Modules/Apps/NTFSLogTracker_$LogFile.mkape index 0511706f8..6c270e0ce 100644 --- a/Modules/Apps/NTFSLogTracker_$LogFile.mkape +++ b/Modules/Apps/NTFSLogTracker_$LogFile.mkape @@ -3,17 +3,17 @@ Category: FileSystem Author: Hyun Yi @hyuunnn and Vito Alfano Version: 1.1 Id: 74ee60a6-2fb2-11ee-be56-0242ac120002 -BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 -FileMask: $J +FileMask: $LogFile Processors: - Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe - CommandLine: -u %sourceFile% -o %destinationDirectory% + CommandLine: -l %sourceFile% -o %destinationDirectory% ExportFormat: sqlite3 - Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe - CommandLine: -u %sourceFile% -o %destinationDirectory% -c + CommandLine: -l %sourceFile% -o %destinationDirectory% -c ExportFormat: csv # Documentation diff --git a/Modules/Compound/NTFSLogTracker.mkape b/Modules/Compound/NTFSLogTracker.mkape index 420320773..0ed73668a 100644 --- a/Modules/Compound/NTFSLogTracker.mkape +++ b/Modules/Compound/NTFSLogTracker.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Hyun Yi @hyuunnn Version: 1.0 Id: 094e8964-ea15-4be1-869d-7b8fa1b55ada -BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/NTFS Log Tracker v1.6 CMD.zip +BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/ ExportFormat: sqlite3 Processors: - From f041145c195693827265f30a03974f57d799ee95 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 20 Feb 2024 16:22:13 +0100 Subject: [PATCH 025/146] Create NetMonitorforEmployeesProfessional.tkape --- .../NetMonitorforEmployeesProfessional.tkape | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 Targets/Apps/NetMonitorforEmployeesProfessional.tkape diff --git a/Targets/Apps/NetMonitorforEmployeesProfessional.tkape b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape new file mode 100644 index 000000000..ea2ac8a4f --- /dev/null +++ b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape @@ -0,0 +1,54 @@ +Description: Net Monitor for Employees Pro +Author: Tristan PINCEAUX - CERT CWATCH - ALMOND +Version: 1.0 +Id: f944d8e5-e7c6-49ac-9c26-b1360fa518cc +RecreateDirectories: true +Targets: + - + Name: Net Monitor Server Logs + Category: ApplicationLogs + Path: C:\ProgramData\Net Monitor for Employees Pro\log\%user%\ + Recursive: true + Comment: "Contains Net Monitor server logs" + + - + Name: Net Monitor Server Data + Category: Communication + Path: C:\ProgramData\Net Monitor for Employees Pro\data\ + Recursive: true + Comment: "Contains Net Monitor server data - Indicates what have been seen as the attacker" + + - + Name: Net Monitor Server Config + Category: Apps + Path: C:\ProgramData\Net Monitor for Employees Pro\config\ + Recursive: true + Comment: "Contains Net Monitor server config" + + - + Name: Net Monitor Server Temp Folder + Category: Apps + Path: C:\ProgramData\Net Monitor for Employees Pro\tmp\ + Recursive: true + + - + Name: Net Monitor Client Logs + Category: ApplicationLogs + Path: C:\Program Files*\Net Monitor for Employees Pro\log\ + Recursive: true + Comment: "Contains Net Monitor client logs" + + - + Name: Net Monitor Client Config + Category: ApplicationLogs + Path: C:\Program Files*\Net Monitor for Employees Pro\config\ + Recursive: true + Comment: "Contains Net Monitor client config" + +# Documentation +# https://networklookout.com/ +# https://networklookout.com/doc/NetMonitorForEmployees.pdf +# Net Monitor for employees is a monitoring software for office, that allows live screen monitoring and employee activity tracking. +# It can be used as remote access tool, to control applications and processes, to fetch and drop files on target, and to deploy further malicious binaries. +# It can also be used as a keylogger to collect further credentials on compromised targets. +# We have seen this tool used in financial scam and data theft. From 62a98b080b43165aaa834142f1bc723e8abc88ed Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 20 Feb 2024 16:23:04 +0100 Subject: [PATCH 026/146] Update RemoteAdmin.tkape --- Targets/Compound/RemoteAdmin.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index a54d93ae3..e542a0070 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -40,6 +40,10 @@ Targets: Name: mRemoteNG Category: ApplicationLogs Path: mRemoteNG.tkape + - + Name: NetMonitor + Category: ApplicationLogs + Path: NetMonitorforEmployeesProfessional.tkape - Name: Radmin Category: ApplicationLogs From 5153cd2e9b5c1923536208a2849d28d74ef7497d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:56:21 -0500 Subject: [PATCH 027/146] Update NetMonitorforEmployeesProfessional.tkape remove errant new line --- Targets/Apps/NetMonitorforEmployeesProfessional.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Apps/NetMonitorforEmployeesProfessional.tkape b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape index ea2ac8a4f..df4df1085 100644 --- a/Targets/Apps/NetMonitorforEmployeesProfessional.tkape +++ b/Targets/Apps/NetMonitorforEmployeesProfessional.tkape @@ -51,4 +51,4 @@ Targets: # Net Monitor for employees is a monitoring software for office, that allows live screen monitoring and employee activity tracking. # It can be used as remote access tool, to control applications and processes, to fetch and drop files on target, and to deploy further malicious binaries. # It can also be used as a keylogger to collect further credentials on compromised targets. -# We have seen this tool used in financial scam and data theft. +# We have seen this tool used in financial scam and data theft. From cbc133e0c744cbf4ca75ee72065a82d6ef222e3b Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Tue, 27 Feb 2024 12:04:15 +0000 Subject: [PATCH 028/146] Create Powershell_Wireless_Network_Connections.mkape --- .../Powershell_Wireless_Network_Connections.mkape | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 Modules/Windows/Powershell_Wireless_Network_Connections.mkape diff --git a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape new file mode 100644 index 000000000..459bd9fbb --- /dev/null +++ b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape @@ -0,0 +1,14 @@ +Description: Extract Wireless Network Connections details via powershell +Category: LiveResponse +Author: Vito Alfano +Version: 1.0 +Id: 5021953e-b8b8-482d-8d23-a0f901dff84d +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: (netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > %destinationDirectory%\Wireless_Network.txt + ExportFormat: txt + +# Documentation +# From f846164a7254ec7871a37672694ec1cd556fa1d1 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Tue, 27 Feb 2024 12:07:50 +0000 Subject: [PATCH 029/146] Update Powershell_Wireless_Network_Connections.mkape --- Modules/Windows/Powershell_Wireless_Network_Connections.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape index 459bd9fbb..9b46a7346 100644 --- a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape +++ b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape @@ -7,8 +7,8 @@ ExportFormat: txt Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: (netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > %destinationDirectory%\Wireless_Network.txt + CommandLine: -Command "(netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > %destinationDirectory%\Wireless_Network.txt" ExportFormat: txt # Documentation -# +# From 8253a492e76584a461fd0ad12f3266c143fb6dc5 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 27 Feb 2024 08:33:53 -0500 Subject: [PATCH 030/146] Update Powershell_Wireless_Network_Connections.mkape --- Modules/Windows/Powershell_Wireless_Network_Connections.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape index 9b46a7346..471a30475 100644 --- a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape +++ b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape @@ -11,4 +11,4 @@ Processors: ExportFormat: txt # Documentation -# +# N/A From bca4bf102d3e0e96c698e80d2070ffed05746a09 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Mar 2024 03:24:48 -0500 Subject: [PATCH 031/146] Update and rename AssetAdvisorLog.tkape to SCCMClientLogs.tkape --- Targets/Windows/AssetAdvisorLog.tkape | 16 ---------------- Targets/Windows/SCCMClientLogs.tkape | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 16 deletions(-) delete mode 100644 Targets/Windows/AssetAdvisorLog.tkape create mode 100644 Targets/Windows/SCCMClientLogs.tkape diff --git a/Targets/Windows/AssetAdvisorLog.tkape b/Targets/Windows/AssetAdvisorLog.tkape deleted file mode 100644 index 67f32b4b4..000000000 --- a/Targets/Windows/AssetAdvisorLog.tkape +++ /dev/null @@ -1,16 +0,0 @@ -Description: Asset Advisor Log -Author: Andrew Rathbun -Version: 1.0 -Id: 700413f8-703b-44fb-9192-8830ac84b6b0 -RecreateDirectories: true -Targets: - - - Name: Asset Advisor Log - Category: Executables - Path: C:\Windows\CCM\Logs\AssetAdvisor.log - FileMask: EncapsulationLogging.hve - -# Documentation -# I have seen reference to malicious binaries associated with a user in this log -# Sample log entry -# ]LOG]!> diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape new file mode 100644 index 000000000..86360baba --- /dev/null +++ b/Targets/Windows/SCCMClientLogs.tkape @@ -0,0 +1,18 @@ +Description: SCCM Client Log Files +Author: Andrew Rathbun +Version: 1.0 +Id: 700413f8-703b-44fb-9192-8830ac84b6b0 +RecreateDirectories: true +Targets: + - + Name: SCCM Client Log Files + Category: Logs + Path: C:\Windows\CCM\Logs + +# Documentation +# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/about-log-files#locating-log-files +# Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948 +# +# I have seen reference to malicious binaries associated with a user in a log found in this folder +# Sample log entry: +# ]LOG]!> From 117b67a1acc1b54c6a2928c780f78f42ba87565d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Mar 2024 03:25:34 -0500 Subject: [PATCH 032/146] Update SCCMClientLogs.tkape remove trailing space --- Targets/Windows/SCCMClientLogs.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape index 86360baba..3ec369431 100644 --- a/Targets/Windows/SCCMClientLogs.tkape +++ b/Targets/Windows/SCCMClientLogs.tkape @@ -5,7 +5,7 @@ Id: 700413f8-703b-44fb-9192-8830ac84b6b0 RecreateDirectories: true Targets: - - Name: SCCM Client Log Files + Name: SCCM Client Log Files Category: Logs Path: C:\Windows\CCM\Logs From 547202dc84484ca2e09268a4e06a6716803dab09 Mon Sep 17 00:00:00 2001 From: maxk77 Date: Sun, 10 Mar 2024 12:27:00 -0700 Subject: [PATCH 033/146] Create Ese2csv_SRUM.mkape --- Modules/Apps/GitHub/Ese2csv_SRUM.mkape | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100755 Modules/Apps/GitHub/Ese2csv_SRUM.mkape diff --git a/Modules/Apps/GitHub/Ese2csv_SRUM.mkape b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape new file mode 100755 index 000000000..e00005a8e --- /dev/null +++ b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape @@ -0,0 +1,18 @@ +Description: 'Ese2csv: Parsing SRUM Database' +Category: SRUMDatabase +Author: Max Ye +Version: 1.0 +Id: 852b64c1-fd0e-47ec-8aa4-0994dbf5d8d1 +BinaryUrl: https://github.com/MarkBaggett/ese-analyst/archive/master.zip +ExportFormat: csv +Processors: + - + Executable: ese-analyst\ese2csv.exe + CommandLine: -o %destinationDirectory% -p srudb_plugin --plugin-args "%sourceDirectory%\Windows\System32\config\SOFTWARE" -- "%sourceDirectory%\Windows\System32\sru\SRUDB.dat" + ExportFormat: csv + +# Documentation +# https://github.com/MarkBaggett/ese-analyst +# Create a folder "ese-analyst" within the "Modules\bin" KAPE folder +# Place both files "ese2csv.exe" and "srudb_plugin.py" into "Modules\bin\ese-analyst" +# When using this module, the module source should be set to OS drive root directory (e.g. C:\), because parameters use abosulte paths From cf88e95ea2d10c6de33ba55dbd3ad61d3d6ede3b Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Sun, 10 Mar 2024 15:58:36 -0400 Subject: [PATCH 034/146] Update Ese2csv_SRUM.mkape fix spelling errors and some formatting --- Modules/Apps/GitHub/Ese2csv_SRUM.mkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Apps/GitHub/Ese2csv_SRUM.mkape b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape index e00005a8e..55398a24e 100755 --- a/Modules/Apps/GitHub/Ese2csv_SRUM.mkape +++ b/Modules/Apps/GitHub/Ese2csv_SRUM.mkape @@ -13,6 +13,6 @@ Processors: # Documentation # https://github.com/MarkBaggett/ese-analyst -# Create a folder "ese-analyst" within the "Modules\bin" KAPE folder -# Place both files "ese2csv.exe" and "srudb_plugin.py" into "Modules\bin\ese-analyst" -# When using this module, the module source should be set to OS drive root directory (e.g. C:\), because parameters use abosulte paths +# Create a folder "ese-analyst" within the ".\KAPE\Modules\bin" folder +# Place both files "ese2csv.exe" and "srudb_plugin.py" into ".\KAPE\Modules\bin\ese-analyst" +# When using this Module, the Module source should be set to OS drive root directory (e.g. C:\), because parameters use absolute paths From fa9fcfa696733bfaf160eaabd1f7d828581cf24e Mon Sep 17 00:00:00 2001 From: ranger910 Date: Tue, 12 Mar 2024 10:42:48 -0400 Subject: [PATCH 035/146] Update ObsidianForensics_Hindsight.mkape Updated Commandline for json export format to use jsonl so that it matches the valid Hindsight export options --- Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape b/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape index 041645d6c..43f5ef87a 100644 --- a/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape +++ b/Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape @@ -12,7 +12,7 @@ Processors: ExportFormat: xlsx - Executable: hindsight.exe - CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f json + CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f jsonl ExportFormat: json # Documentation From 0239f608c9c7a811aad84dd319cd3e6962533b6c Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Wed, 13 Mar 2024 20:08:21 -0400 Subject: [PATCH 036/146] Update 4KVideoDownloader.tkape Added Target for 4kVideoDownloader+ which is the latest version --- Targets/Apps/4KVideoDownloader.tkape | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Targets/Apps/4KVideoDownloader.tkape b/Targets/Apps/4KVideoDownloader.tkape index adae505ef..6116e0a8f 100644 --- a/Targets/Apps/4KVideoDownloader.tkape +++ b/Targets/Apps/4KVideoDownloader.tkape @@ -1,6 +1,6 @@ Description: 4K Video Downloader Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: e33d4392-459b-459e-82e0-d9c624adbfbc RecreateDirectories: true Targets: @@ -10,6 +10,12 @@ Targets: Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader FileMask: "*.sqlite" Comment: "Grabs database(s) that stores user download history" + - + Name: 4K Video Downloader+ + Category: Apps + Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+ + FileMask: "*.sqlite" + Comment: "Grabs database(s) that stores user download history" # Documentation # https://www.4kdownload.com/products/product-videodownloader From 10ae1339db0d07e4dd9b66d81350d7b4f6b7f9d7 Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Wed, 13 Mar 2024 23:23:42 -0400 Subject: [PATCH 037/146] Added Target for Notion Note-Taking App Notion is a popular note-taking/productivity app. The Windows app for Notion stores all pages, tables, users, etc. in a sqlite database. Created new Target for Notion's notion.db as well as the user's custom dictionary. Updated the compound target, 'SQLiteDatabases' to include the new Notion database. --- Targets/Apps/Notion.tkape | 25 +++++++++++++++++++++++++ Targets/Compound/SQLiteDatabases.tkape | 7 +++++++ 2 files changed, 32 insertions(+) create mode 100644 Targets/Apps/Notion.tkape diff --git a/Targets/Apps/Notion.tkape b/Targets/Apps/Notion.tkape new file mode 100644 index 000000000..df21279f4 --- /dev/null +++ b/Targets/Apps/Notion.tkape @@ -0,0 +1,25 @@ +Description: Notion Note-Taking App +Author: Thomas Burnette +Version: 1.0 +Id: 95afe81f-6301-4a7f-996b-c69443e7c2d9 +RecreateDirectories: true +Targets: + - + Name: Notion Local Storage + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion + FileMask: 'notion.db' + Comment: "Local storage file containing all pages, databases, users, etc." + + - + Name: Notion Custom Dictionary + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion\Partitions\notion + FileMask: 'Custom Dictionary.txt' + +# Documentation +# Notion is a freemium productivity and note-taking app. It includes organizational tools such as task management, project tracking, to-do lists, and bookmarking. +# When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a sqlite database, notion.db. +# This includes creation and modification timestamps for all entries. +# Additionaly, Notion stores the user's Custom Dictionary in a text file. +# https://www.notion.so/ \ No newline at end of file diff --git a/Targets/Compound/SQLiteDatabases.tkape b/Targets/Compound/SQLiteDatabases.tkape index 8c1b369cd..2be487310 100644 --- a/Targets/Compound/SQLiteDatabases.tkape +++ b/Targets/Compound/SQLiteDatabases.tkape @@ -73,6 +73,13 @@ Targets: Category: SQLDatabases Path: C:\Users\%user%\AppData\Roaming\TeraCopy\ FileMask: main.db + + # Apps - Notion - Notion.tkape + - + Name: Notion Local Storage + Category: App + Path: C:\Users\%user%\AppData\Roaming\Notion + FileMask: 'notion.db' # Cloud Storage - Dropbox - Dropbox_Metadata.tkape From 5a4d94d099f198d85e444873965af663170f85a5 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:35:47 -0400 Subject: [PATCH 038/146] Update Notion.tkape add newline --- Targets/Apps/Notion.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Apps/Notion.tkape b/Targets/Apps/Notion.tkape index df21279f4..1d56a8972 100644 --- a/Targets/Apps/Notion.tkape +++ b/Targets/Apps/Notion.tkape @@ -22,4 +22,4 @@ Targets: # When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a sqlite database, notion.db. # This includes creation and modification timestamps for all entries. # Additionaly, Notion stores the user's Custom Dictionary in a text file. -# https://www.notion.so/ \ No newline at end of file +# https://www.notion.so/ From 9a761712173d258e19b3c6d975154f3f30e20d2e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:36:48 -0400 Subject: [PATCH 039/146] Update SQLiteDatabases.tkape remove trailing spaces --- Targets/Compound/SQLiteDatabases.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Compound/SQLiteDatabases.tkape b/Targets/Compound/SQLiteDatabases.tkape index 2be487310..eaad4a882 100644 --- a/Targets/Compound/SQLiteDatabases.tkape +++ b/Targets/Compound/SQLiteDatabases.tkape @@ -73,7 +73,7 @@ Targets: Category: SQLDatabases Path: C:\Users\%user%\AppData\Roaming\TeraCopy\ FileMask: main.db - + # Apps - Notion - Notion.tkape - Name: Notion Local Storage From d3c1255f336660ca4c3bebd81a5df248a7e9471a Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:38:13 -0400 Subject: [PATCH 040/146] Update Notion.tkape spelling error fix, rearrange documentation a bit --- Targets/Apps/Notion.tkape | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Targets/Apps/Notion.tkape b/Targets/Apps/Notion.tkape index 1d56a8972..4bc6c8620 100644 --- a/Targets/Apps/Notion.tkape +++ b/Targets/Apps/Notion.tkape @@ -10,7 +10,6 @@ Targets: Path: C:\Users\%user%\AppData\Roaming\Notion FileMask: 'notion.db' Comment: "Local storage file containing all pages, databases, users, etc." - - Name: Notion Custom Dictionary Category: App @@ -18,8 +17,8 @@ Targets: FileMask: 'Custom Dictionary.txt' # Documentation +# https://www.notion.so/ # Notion is a freemium productivity and note-taking app. It includes organizational tools such as task management, project tracking, to-do lists, and bookmarking. -# When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a sqlite database, notion.db. +# When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a SQLite database, notion.db. # This includes creation and modification timestamps for all entries. -# Additionaly, Notion stores the user's Custom Dictionary in a text file. -# https://www.notion.so/ +# Additionally, Notion stores the user's Custom Dictionary in a text file. From 51ffdbecea9424dbbbfa87f23c7711cd01813ecf Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Wed, 13 Mar 2024 23:45:18 -0400 Subject: [PATCH 041/146] update Guides and Templates with better comments re: GUID --- Modules/CompoundModuleGuide.guide | 3 +-- Modules/CompoundModuleTemplate.template | 2 +- Modules/ModuleGuide.guide | 2 +- Modules/ModuleTemplate.template | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide index de125ea21..b3fbe0388 100644 --- a/Modules/CompoundModuleGuide.guide +++ b/Modules/CompoundModuleGuide.guide @@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: b407d036-eef7-47ba-bd82-5fd5785e1af8 # Required, unique GUID is required for every KAPE Target/Module -BinaryUrl: https://url.goes.here.com # Required +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required ExportFormat: csv # Required FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module Processors: diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template index bcebf7544..99f61df8b 100644 --- a/Modules/CompoundModuleTemplate.template +++ b/Modules/CompoundModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Modules/ModuleGuide.guide b/Modules/ModuleGuide.guide index c9c2345b4..7d829001e 100644 --- a/Modules/ModuleGuide.guide +++ b/Modules/ModuleGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid BinaryUrl: https://url.goes.here.com ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish diff --git a/Modules/ModuleTemplate.template b/Modules/ModuleTemplate.template index 1f5c0fbc0..b7cd70a76 100644 --- a/Modules/ModuleTemplate.template +++ b/Modules/ModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe From 3100e346a95669bfc8648bc8ea6f4971ef8a5542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Velschow=20S=C3=B8gaard?= <46562365+seba7236@users.noreply.github.com> Date: Fri, 15 Mar 2024 18:21:34 +0100 Subject: [PATCH 042/146] Update EdgeChromium.tkape This should fix it so the Cookies are collected from Edge, and not just from Chrome --- Targets/Browsers/EdgeChromium.tkape | 1 + 1 file changed, 1 insertion(+) diff --git a/Targets/Browsers/EdgeChromium.tkape b/Targets/Browsers/EdgeChromium.tkape index ff36a8922..1cc4d49f2 100644 --- a/Targets/Browsers/EdgeChromium.tkape +++ b/Targets/Browsers/EdgeChromium.tkape @@ -18,6 +18,7 @@ Targets: Name: Edge Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ + Recursive: true FileMask: Cookies* - Name: Edge Current Session From d93504cd97e7b8b5fe64acc95055cf9bcbdf5827 Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Fri, 15 Mar 2024 21:08:53 -0400 Subject: [PATCH 043/146] Add Target for ISLOnline Remote Access Tool - Created new Target, ISLOnline.tkape, for ISLOnline, a remote access tool. - https://www.islonline.com/us/en/ - Updated RemoteAdmin.tkape to include ISLOnline.tkape --- Targets/Apps/ISLOnline.tkape | 64 ++++++++++++++++++++++++++++++ Targets/Compound/RemoteAdmin.tkape | 4 ++ 2 files changed, 68 insertions(+) create mode 100644 Targets/Apps/ISLOnline.tkape diff --git a/Targets/Apps/ISLOnline.tkape b/Targets/Apps/ISLOnline.tkape new file mode 100644 index 000000000..414753095 --- /dev/null +++ b/Targets/Apps/ISLOnline.tkape @@ -0,0 +1,64 @@ +Description: ISLOnline Remote Access Tool +Author: Thomas Burnette +Version: 1.0 +Id: cf494b12-b096-43cf-99a7-c8031fc801b1 +RecreateDirectories: true +Targets: + - + Name: ISLOnline Logs - Sessions - *.out + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light Client\*\ + FileMask: 'ISLClient.out' + Comment: "Collects client session logs for one or more sessions" + - + Name: ISLOnline Logs - Session Configurations + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light Client\*\conf\ + FileMask: '*' + Comment: "Configurations for ISL Light sessions" + - + Name: ISL AlwaysOn Logs - Sessions List + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: 'session.xml' + Comment: "Collects an xml file listing all sessions for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn Logs - Sessions + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*\ + FileMask: 'trace.out' + Comment: "Detailed log for each session for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn - App Logs + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: '*.out' + Comment: "Application logs containg various artifacts." + - + Name: ISL Light Logs - Sessions + Category: Communications + Path: C:\Users\%user%\AppData\Local\ISL Online Cache\ISL Light\*\ + FileMask: 'trace.out' + Comment: "Collects client session logs for one or more sessions" + - + Name: ISL AlwaysOn - Email Configuration + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status\ + FileMask: 'tray' + Comment: "This file includes the email of the logged in user for ISL AlwaysOn (Unattended Access)" + - + Name: ISL AlwaysOn - Configuration + Category: Communications + Path: C:\Program Files (x86)\ISL Online\ISL AlwaysOn\ + FileMask: 'StaticConfiguration.ini' + Comment: "Configuration information (port, http/htpps) for ISL AlwaysOn (Unattended Access)" + +# Documentation +# https://www.islonline.com/us/enus/ +# https://www.anomali.com/blog/anomali-cyber-watch-earth-kitsune-uses-chrome-native-messaging-for-persistence-wip26-targets-middle-east-telco-from-abused-clouds-azerbaijan-sponsored-group-geofenced-its-payloads-to-armenian-ips +# https://www.bleepingcomputer.com/news/security/coinbase-cyberattack-targeted-employees-with-fake-sms-alert/ +# ISL Online is a remote access tool with several methods of connecting to clients. ISL Light allows for installed or run once clients. +# ISL AlwaysOn allows for unattended access to clients and requires elevated privileges to install the ISL Online client. +# Forensic artifacts vary based on method of use. +# One of the most common methods of connecting to a client is to ask them to navigate to islonline.net and enter a connection code which will then download a single use ISL client. +# The most useful artifacts are ISLClient.out, trace.out, and session.xml. With these files you can identify how many sessions occured, when they occurred, as well as what took place (ie. file transfers in or out) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index e542a0070..c8939bfc0 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -24,6 +24,10 @@ Targets: Name: DWAgent Category: ApplicationLogs Path: DWAgent.tkape + - + Name: ISLOnline + Category: ApplicationLogs + Path: ISLOnline.tkape - Name: Kaseya Category: ApplicationLogs From f18d71cdc22287911d2d571c0d1b3c9b512d1e1a Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Sun, 17 Mar 2024 10:31:15 -0400 Subject: [PATCH 044/146] Added Target for Idrive Backup - Added new target to pull files related to Idrive backup solution. - Updated compound target SQLiteDatabases.tkape to include SQLite databases used by Idrive. --- Targets/Apps/Idrive.tkape | 100 +++++++++++++++++++++++++ Targets/Compound/SQLiteDatabases.tkape | 6 ++ 2 files changed, 106 insertions(+) create mode 100644 Targets/Apps/Idrive.tkape diff --git a/Targets/Apps/Idrive.tkape b/Targets/Apps/Idrive.tkape new file mode 100644 index 000000000..823344bf1 --- /dev/null +++ b/Targets/Apps/Idrive.tkape @@ -0,0 +1,100 @@ +Description: Idrive Backup Artifacts +Author: Thomas Burnette +Version: 1.0 +Id: d5f9d7ac-4b34-47ad-beda-123c6f9cf73e +RecreateDirectories: true +Targets: + - + Name: Idrive Cleanup Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Archive Cleanup\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each archive cleanup operation" + - + Name: Idrive Backup Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Backup\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each backup operation" + - + Name: Idrive Delete Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Delete\ + Recursive: true + FileMask: "*" + Comment: "Contains individual log files for each delete operation" + - + Name: Idrive Restore Operations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\Restore\ + FileMask: "*" + Comment: "Contains individual log files for each restore operation" + - + Name: Idrive Backup Summary + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Session\LOGXML\ + FileMask: "*xml" + Comment: "Contains summary of each backup session" + - + Name: Idrive Tracefile + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\Tracefile.txt + FileMask: "Tracefile.txt" + Comment: "Application log which includes error logs for failed uploads" + - + Name: Idrive Mapped Drives + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "IDMappedDrives.txt" + Comment: "List of mapped drives for backup" + - + Name: Idrive Backup Schedule + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "schedule.xml" + Comment: "Backup schedule configurations" + - + Name: Idrive Schedule History + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "Sch_Trace.txt" + Comment: "History of schedule configurations" + - + Name: Idrive Configuration + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "idrive.ini" + Comment: "List of Idrive configuration options" + - + Name: Idrive Local Drives + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "get_Alldrives.txt" + Comment: "List of all local drives" + - + Name: Idrive Exclusion Configurations + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "Exclude*" + Comment: "Files pertaining to exclusion configurations" + - + Name: Idrive User Details + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\ + FileMask: "AutoComp.ini" + Comment: "Idrive username, Scheduler notification emails, local username" + - + Name: Idrive SQL Databse + Category: Apps + Path: C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\ + FileMask: "*.ibds" + Comment: "Sql database of local files that are backed up" + +# Documentation +# https://www.idrive.com/ +# IDrive provides Online cloud Backup for PCs, Macs, iPhones, Android and other Mobile Devices. +# The most important files are likely to be the log files locatd in C:\ProgramData\IDrive\IBCOMMON\*\Session\Backup\*. +# A new log file is created for each backup session and contains the file name, directory, file size, and time of backup for each file as well as a backup summary. +# The next most important file is likely to be C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.ibds, which is a Sqlite database that contains the file name, directory, and file size of files that are backed up from a local drive. diff --git a/Targets/Compound/SQLiteDatabases.tkape b/Targets/Compound/SQLiteDatabases.tkape index eaad4a882..24c36d63a 100644 --- a/Targets/Compound/SQLiteDatabases.tkape +++ b/Targets/Compound/SQLiteDatabases.tkape @@ -80,6 +80,12 @@ Targets: Category: App Path: C:\Users\%user%\AppData\Roaming\Notion FileMask: 'notion.db' + # Apps - Idrive - Idrive.tkape + - + Name: IDrive Backed Up Files + Category: App + Path: C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\ + FileMask: '*.idbs' # Cloud Storage - Dropbox - Dropbox_Metadata.tkape From 7863230ff4c8a7d6df0f8501d3ed437aea547fcf Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Sun, 17 Mar 2024 11:14:03 -0400 Subject: [PATCH 045/146] Update CloudStorage_All.tkape Added target for Idrive cloud backup --- Targets/Compound/CloudStorage_All.tkape | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Targets/Compound/CloudStorage_All.tkape b/Targets/Compound/CloudStorage_All.tkape index 07692390a..4dc536d4a 100644 --- a/Targets/Compound/CloudStorage_All.tkape +++ b/Targets/Compound/CloudStorage_All.tkape @@ -1,6 +1,6 @@ Description: Cloud Storage Contents and Metadata Author: Chad Tilbury and Andrew Rathbun -Version: 1.3 +Version: 1.4 Id: 63c7ff1e-0fcb-45ae-9d72-29bf8458b6db RecreateDirectories: true Targets: @@ -32,6 +32,10 @@ Targets: Name: CloudStorage Metadata Category: Apps Path: CloudStorage_Metadata.tkape + - + Name: Idrive Backup + Category: Apps + Path: Idrive.tkape # Documentation # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_online_backup_services. From e4b74a7127964ad7ba9aed179e46bdd6256b3b67 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Mon, 18 Mar 2024 10:20:57 +0000 Subject: [PATCH 046/146] Create Windows_Notepad.tkape --- Targets/Apps/Windows_Notepad.tkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Targets/Apps/Windows_Notepad.tkape diff --git a/Targets/Apps/Windows_Notepad.tkape b/Targets/Apps/Windows_Notepad.tkape new file mode 100644 index 000000000..ad6bfd0d5 --- /dev/null +++ b/Targets/Apps/Windows_Notepad.tkape @@ -0,0 +1,15 @@ +Description: Microsoft Windows 11 Notepad history +Author: Vito Alfano +Version: 1.0 +Id: 531d8631-b3ac-4bc2-b2e6-5f31442efb94 +RecreateDirectories: true +Targets: + - + Name: Notepad Tab State Folder + Category: App + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\ + FileMask: "*.bin" + Comment: "Collecting Windows 11 Notepad tabs history files" + +# Documentation +# https://twitter.com/nas_bench/status/1725658060104913019 From 98845740356d63081b4ddcc07c443d65297e3c00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Velschow=20S=C3=B8gaard?= <46562365+seba7236@users.noreply.github.com> Date: Tue, 19 Mar 2024 22:34:11 +0100 Subject: [PATCH 047/146] Create Vivaldi.tkape Created Target-File for Vivaldi browser, targeting the default directory --- Targets/Browsers/Vivaldi.tkape | 99 ++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 Targets/Browsers/Vivaldi.tkape diff --git a/Targets/Browsers/Vivaldi.tkape b/Targets/Browsers/Vivaldi.tkape new file mode 100644 index 000000000..4dc1d3c6e --- /dev/null +++ b/Targets/Browsers/Vivaldi.tkape @@ -0,0 +1,99 @@ +Description: Vivaldi Artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: 27893cda-f3c7-47df-aacd-2682d49a19e5 +RecreateDirectories: true +Targets: + - + Name: Vivaldi Cookies + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + Recursive: true + FileMask: Cookies* + - + Name: Vivaldi Network Persistent State + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + Recursive: true + FileMask: Network Persistent State + - + Name: Vivaldi Favicons + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Favicons* + - + Name: Vivaldi History + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: History* + - + Name: Vivaldi Sessions Folder + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\Sessions\ + Recursive: false + - + Name: Vivaldi Login Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Login Data + - + Name: Vivaldi Network Action Predictor + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Network Action Predictor + - + Name: Vivaldi Preferences + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Preferences + - + Name: Vivaldi Top Sites + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Top Sites* + - + Name: Vivaldi Bookmarks + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Bookmarks* + - + Name: Vivaldi Visited Links + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Visited Links + - + Name: Vivaldi Web Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Web Data* + - + Name: Vivaldi User Tracking + Category: Communications + Path: C:\Users\%user%\ + FileMask: .vivaldi_reporting_data* + - + Name: Vivaldi Calendar + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Calendar* + - + Name: Vivaldi Contacts + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Contacts* + - + Name: Vivaldi Notes + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: Notes* + - + Name: Vivaldi Download Metadata + Category: Communications + Path: C:\Users\%user%\AppData\Local\Vivaldi\User Data\*\ + FileMask: DownloadMetadata* + + +# Documentation +# For vivaldi user tracking, see here: https://vivaldi.com/blog/how-we-count-our-users/ +# Vivaldi is Chromium, so the same artifacts can be found, however Vivaldi has a few unique ones +# Like "Notes" From 471a7e8dc3fa4a8e5a47f65bb68cc1ce619d4651 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Velschow=20S=C3=B8gaard?= <46562365+seba7236@users.noreply.github.com> Date: Wed, 20 Mar 2024 10:49:11 +0100 Subject: [PATCH 048/146] Create Yandex.tkape Created a targetfile for Yandex. It grabs the basics from the Yandex folder (Chromium artifacts basically) --- Targets/Browsers/Yandex.tkape | 86 +++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 Targets/Browsers/Yandex.tkape diff --git a/Targets/Browsers/Yandex.tkape b/Targets/Browsers/Yandex.tkape new file mode 100644 index 000000000..f2925719f --- /dev/null +++ b/Targets/Browsers/Yandex.tkape @@ -0,0 +1,86 @@ +Description: Yandex Artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: 32399a9d-d891-49cc-9919-fa45cbe63683 +RecreateDirectories: true +Targets: + - + Name: Yandex Cookies + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + Recursive: true + FileMask: Cookies* + - + Name: Yandex Network Persistent State + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + Recursive: true + FileMask: Network Persistent State + - + Name: Yandex Favicons + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Favicons* + - + Name: Yandex History + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: History* + - + Name: Yandex Sessions Folder + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\Sessions\ + Recursive: false + - + Name: Yandex Login Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Ya Passman Data* + - + Name: Yandex Network Action Predictor + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Network Action Predictor + - + Name: Yandex Preferences + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Preferences + - + Name: Yandex Top Sites + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Top Sites* + - + Name: Yandex Bookmarks + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Bookmarks* + - + Name: Yandex Visited Links + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Visited Links + - + Name: Yandex Web Data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Web Data* + - + Name: Yandex Autofill data + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Ya Autofill Data* + - + Name: Yandex Passman logs + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Passman Logs* + - + Name: Yandex Shortcuts + Category: Communications + Path: C:\Users\%user%\AppData\Local\Yandex\YandexBrowser\User Data\*\ + FileMask: Shortcuts* + +# Documentation +# N/A From 53bfbad3d03d5bf1587a3e070baed765d46e9429 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Velschow=20S=C3=B8gaard?= <46562365+seba7236@users.noreply.github.com> Date: Wed, 20 Mar 2024 22:41:22 +0100 Subject: [PATCH 049/146] Update WebBrowsers.tkape Adds Yandex and Vivaldi to Compound file for PR #918 and #919 --- Targets/Compound/WebBrowsers.tkape | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Targets/Compound/WebBrowsers.tkape b/Targets/Compound/WebBrowsers.tkape index 8aaa631ac..ac1fa07a3 100644 --- a/Targets/Compound/WebBrowsers.tkape +++ b/Targets/Compound/WebBrowsers.tkape @@ -36,6 +36,14 @@ Targets: Name: Brave Browser Category: Communications Path: BraveBrowser.tkape + - + Name: Yandex Browser + Category: Communications + Path: Yandex.tkape + - + Name: Vivaldi Browser + Category: Communications + Path: Vivaldi.tkape # Documentation # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_web_browsers. From 2f9413716ae0e48f8ba021589ba128bfafc6e875 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Velschow=20S=C3=B8gaard?= <46562365+seba7236@users.noreply.github.com> Date: Fri, 22 Mar 2024 22:24:53 +0100 Subject: [PATCH 050/146] Create VisualStudioCode.tkape Created a Targetfile for Visual Studio Code --- Targets/Apps/VisualStudioCode.tkape | 58 +++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 Targets/Apps/VisualStudioCode.tkape diff --git a/Targets/Apps/VisualStudioCode.tkape b/Targets/Apps/VisualStudioCode.tkape new file mode 100644 index 000000000..5c367e47d --- /dev/null +++ b/Targets/Apps/VisualStudioCode.tkape @@ -0,0 +1,58 @@ +Description: Visual Studio Code artifacts +Author: Sebastian Søgaard +Version: 1.0 +Id: f90fe4ce-b349-4010-8d41-3b7b8273e5fe +RecreateDirectories: true +Targets: + - + Name: VSCode Opened Files + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\History\*\ + Recursive: true + Comment: "Grabs the files in the VSCode history. These are files the user has opened with VSCode" + - + Name: VSCode Workspaces + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\globalStorage\ + FileMask: storage.json* + Comment: "Grabs the file containing information about the users workspaces" + - + Name: VSCode User extensions + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\CachedExtensions\ + FileMask: user* + Comment: "Grabs the files relating to the users installed extensions" + - + Name: VSCode User settings + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\User\ + FileMask: settings.json* + Comment: "Grabs the file containing the settings the user has set." + - + Name: VSCode User Preferences + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\ + FileMask: preferences* + Comment: "Grabs the file containing the preferences the user has set." + - + Name: VSCode Network Cookies + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\Network\ + FileMask: Cookies* + Comment: "Grabs the cookie files. Same format as Chromium Cookies" + - + Name: VSCode Network Persistent State + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\Network\ + FileMask: Network Persistent State* + Comment: "Grabs the Network Persistent State file. Same format as in Chromium" + - + Name: VSCode Logs + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Code\logs\ + Recursive: true + Comment: "Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital." + + +# Documentation +# N/A From e95c43cb7fdbb44d81f91d755f9d109576b38ca1 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Fri, 22 Mar 2024 17:58:52 -0400 Subject: [PATCH 051/146] Update VisualStudioCode.tkape remove extra line --- Targets/Apps/VisualStudioCode.tkape | 1 - 1 file changed, 1 deletion(-) diff --git a/Targets/Apps/VisualStudioCode.tkape b/Targets/Apps/VisualStudioCode.tkape index 5c367e47d..00f0f6310 100644 --- a/Targets/Apps/VisualStudioCode.tkape +++ b/Targets/Apps/VisualStudioCode.tkape @@ -53,6 +53,5 @@ Targets: Recursive: true Comment: "Grabs the VSCode logs. Further analysis is needed to determine which logs are junk, and which can be vital." - # Documentation # N/A From 75a339aefce346ae0ae1ce9fcb1c436bff6de77e Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Sat, 23 Mar 2024 20:24:33 -0400 Subject: [PATCH 052/146] Create Robo-FTP.tkape Added Target for Robo-FTP, an FTP client that focuses on automation. --- Targets/Apps/Robo-FTP.tkape | 94 +++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 Targets/Apps/Robo-FTP.tkape diff --git a/Targets/Apps/Robo-FTP.tkape b/Targets/Apps/Robo-FTP.tkape new file mode 100644 index 000000000..a4720d515 --- /dev/null +++ b/Targets/Apps/Robo-FTP.tkape @@ -0,0 +1,94 @@ +Description: Robo-FTP +Author: Thomas Burnette +Version: 1.0 +Id: d23bbad5-8c40-407f-9224-8a8e613f9730 +RecreateDirectories: true +Targets: + - + Name: Robo-FTP User Scripts + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Scripts\ + FileMask: "*.s" + Comment: "Custom scripts created by each user" + - + Name: Robo-FTP User Debug Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Debug\ + FileMask: "*.log" + Comment: "Debug logs generated for each user, if enabled" + - + Name: Robo-FTP User Script/Trace Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\Logs\ + FileMask: "*" + Comment: "Script and Trace logs generated for each user" + - + Name: Robo-FTP User XML Config + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\ + FileMask: "config.xml" + Comment: "Config.xml unique to each user. Contains list of custom scripts and ftp sites" + - + Name: Robo-FTP User SSH Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\SSH Keys\ + FileMask: "*" + Comment: "Saved SSH keys for each user" + - + Name: Robo-FTP User SSL Certificates + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\SSL Certificates\ + FileMask: "*" + Comment: "Saved SSL Certificates for each user" + - + Name: Robo-FTP User PGP Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\UserData\*\PGP Keys\ + FileMask: "*" + Comment: "Saved PGP Keys for each user" + - + Name: Robo-FTP SSH Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\SSH Keys\ + FileMask: "*" + Comment: "Shared SSH keys" + - + Name: Robo-FTP SSL Certificates + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\SSL Certificates\ + FileMask: "*" + Comment: "Shared SSL Certificates" + - + Name: Robo-FTP PGP Keys + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\PGP Keys\ + FileMask: "*" + Comment: "Shared PGP Keys" + - + Name: Robo-FTP Debug Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\Debug\ + FileMask: "*" + Comment: "Debug logs generated by Robo-FTP" + - + Name: Robo-FTP Script/Trace Logs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\Logs\ + FileMask: "*" + Comment: "Script and Trace logs generated by Robo-FTP" + - + Name: Robo-FTP XML Config + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\ + FileMask: "config.xml" + Comment: "Config.xml. Contains list of custom scripts and ftp sites" + - + Name: Robo-FTP Jobs + Category: Apps + Path: C:\Program Files\Robo-FTP 3.12\ProgramData\ + FileMask: "SchedulerService.sqlite" + Comment: "Contains details of scheduled jobs" + +# Documentation +# https://www.robo-ftp.com/ +# Robo-FTP is an FTP client that is focused on automation through the use of scripts. From d0de250bcdbfe0cf17a567e55507e15c4cac1cc0 Mon Sep 17 00:00:00 2001 From: Chris-P-Bakin Date: Sat, 23 Mar 2024 20:28:49 -0400 Subject: [PATCH 053/146] Update SQLiteDatabases.tkape Added entry for Robo-FTP SchedulerService.sqlite --- Targets/Compound/SQLiteDatabases.tkape | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Targets/Compound/SQLiteDatabases.tkape b/Targets/Compound/SQLiteDatabases.tkape index 24c36d63a..b5ff6cd39 100644 --- a/Targets/Compound/SQLiteDatabases.tkape +++ b/Targets/Compound/SQLiteDatabases.tkape @@ -61,6 +61,14 @@ Targets: Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\ FileMask: todosqlite.db* + # Apps - Robo-FTP - Robo-FTP.tkape + + - + Name: Robo-FTP Jobs + Category: Apps + Path: C:\Program Files\Robo-FTP *\ProgramData\ + FileMask: "SchedulerService.sqlite" + # Apps - TeraCopy - TeraCopy.tkape - From 55baf0777988212fbf6afa7711a71789128c8270 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:30:56 +0200 Subject: [PATCH 054/146] Create PowerShell_AD_Timeline.mkape --- Modules/PowerShell_AD_Timeline.mkape | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Modules/PowerShell_AD_Timeline.mkape diff --git a/Modules/PowerShell_AD_Timeline.mkape b/Modules/PowerShell_AD_Timeline.mkape new file mode 100644 index 000000000..8b6672fb2 --- /dev/null +++ b/Modules/PowerShell_AD_Timeline.mkape @@ -0,0 +1,24 @@ +Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. +Category: Github +Author: Tristan PINCEAUX - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6666cc62-821f-4b13-b13a-03c768b40f71 +BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 +ExportFormat: csv, log, xml +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " + ExportFormat: csv, log, xml + +# Documentation +# ADtimeline is a powershell script created by the ANSSI (French Cybersecurity Agency). +# You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... +# You need to run this script on a live domain controller. +# This script will generate four files : +# - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. +# - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. +# - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. +# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. +# https://github.com/ANSSI-FR/ADTimeline +# https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf From 862ada47fd519601938f337efa0609396fa11619 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 2 Apr 2024 14:37:07 -0400 Subject: [PATCH 055/146] Update and rename Modules/PowerShell_AD_Timeline.mkape to Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape --- Modules/{ => Apps/GGitHub}/PowerShell_AD_Timeline.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename Modules/{ => Apps/GGitHub}/PowerShell_AD_Timeline.mkape (98%) diff --git a/Modules/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape similarity index 98% rename from Modules/PowerShell_AD_Timeline.mkape rename to Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index 8b6672fb2..0a61860b9 100644 --- a/Modules/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -1,5 +1,5 @@ Description: ADTimeline.ps1 - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest. -Category: Github +Category: GitHub Author: Tristan PINCEAUX - CERT CWATCH - ALMOND Version: 1.0 Id: 6666cc62-821f-4b13-b13a-03c768b40f71 From 4350f663ec27a292b4bb5346f239792cdeb9e81f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 2 Apr 2024 14:39:34 -0400 Subject: [PATCH 056/146] Update PowerShell_AD_Timeline.mkape remove trailing spaces --- Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index 0a61860b9..e84a7e929 100644 --- a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -12,13 +12,13 @@ Processors: ExportFormat: csv, log, xml # Documentation -# ADtimeline is a powershell script created by the ANSSI (French Cybersecurity Agency). +# ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency). # You can use the output of this script to determine persistance, sensitives accounts, suspicious activities... -# You need to run this script on a live domain controller. -# This script will generate four files : +# You need to run this script on a live domain controller. +# This script will generate four files: # - timeline_%DOMAINFQDN%.csv: The timeline generated with the AD replication metadata of objects retrieved. # - logfile_%DOMAINFQDN%.log: Script log file. You will also find various information on the domain. # - ADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via LDAP. -# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. +# - gcADobjects_%DOMAINFQDN%.xml: Objects of interest retrieved via the Global Catalog. # https://github.com/ANSSI-FR/ADTimeline # https://www.first.org/resources/papers/amsterdam2019/AD_Timeline_FIRST_TC.pdf From 570487e0bd3a61300f52bb943a27638ec7fbaf73 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:24:29 +0000 Subject: [PATCH 057/146] Create RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Targets/Windows/RDPJumplist.tkape diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape new file mode 100644 index 000000000..e18fb9522 --- /dev/null +++ b/Targets/Windows/RDPJumplist.tkape @@ -0,0 +1,13 @@ +Description: RDP Jumplist Files +Author: Vito Alfano +Version: 1.0 +Id: da62b852-7af2-4882-ac83-ff3e142da2ef +RecreateDirectories: true +Targets: + - + Name: RDP Jumplist Files + Category: FileSystem + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ + +# Documentation +# https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From 07ac986c6bcfe6da769ac180c75abb36e06fc30f Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:35:19 +0000 Subject: [PATCH 058/146] Update RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape index e18fb9522..48a2e7560 100644 --- a/Targets/Windows/RDPJumplist.tkape +++ b/Targets/Windows/RDPJumplist.tkape @@ -8,6 +8,6 @@ Targets: Name: RDP Jumplist Files Category: FileSystem Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ - + # Documentation # https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From 9492fc0a6f311dab671409d62248f7bbdc20c002 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:38:03 +0000 Subject: [PATCH 059/146] Update RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape index 48a2e7560..d811de9fc 100644 --- a/Targets/Windows/RDPJumplist.tkape +++ b/Targets/Windows/RDPJumplist.tkape @@ -8,6 +8,7 @@ Targets: Name: RDP Jumplist Files Category: FileSystem Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ - + Recursive: true + # Documentation # https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From 6765c598b6766a65e5fb3232ceac7eaba8a123bf Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 4 Apr 2024 21:02:20 -0400 Subject: [PATCH 060/146] Update PowerShell_AD_Timeline.mkape make CSV the default ExportFormat, and rename the ExportFormat for the first processor to CSV --- Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape index e84a7e929..9887abd07 100644 --- a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape +++ b/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape @@ -4,12 +4,12 @@ Author: Tristan PINCEAUX - CERT CWATCH - ALMOND Version: 1.0 Id: 6666cc62-821f-4b13-b13a-03c768b40f71 BinaryUrl: https://raw.githubusercontent.com/ANSSI-FR/ADTimeline/master/ADTimeline.ps1 -ExportFormat: csv, log, xml +ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: "-ep bypass & '%kapeDirectory%\\Modules\\bin\\ADTimeline.ps1'; Move-Item timeline_*.csv -Destination %destinationDirectory%; Move-Item logfile_*.log -Destination %destinationDirectory%; Move-Item ADobjects_*.xml -Destination %destinationDirectory%; Move-Item gcADobjects_*.xml -Destination %destinationDirectory% " - ExportFormat: csv, log, xml + ExportFormat: csv # Documentation # ADtimeline is a PowerShell script created by the ANSSI (French Cybersecurity Agency). From 6ffa71dd8592d51174612296243b66e402b914e6 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 4 Apr 2024 21:06:51 -0400 Subject: [PATCH 061/146] Rename PowerShell_AD_Timeline.mkape to PowerShell_AD_Timeline.mkape erroneous folder renamed --- Modules/Apps/{GGitHub => GitHub}/PowerShell_AD_Timeline.mkape | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Modules/Apps/{GGitHub => GitHub}/PowerShell_AD_Timeline.mkape (100%) diff --git a/Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape b/Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape similarity index 100% rename from Modules/Apps/GGitHub/PowerShell_AD_Timeline.mkape rename to Modules/Apps/GitHub/PowerShell_AD_Timeline.mkape From a0a2a1db620664ead8ff789397ac282498e95ca3 Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Tue, 16 Apr 2024 20:10:47 +1000 Subject: [PATCH 062/146] Update Chrome.tkape add snapshots --- Targets/Browsers/Chrome.tkape | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Targets/Browsers/Chrome.tkape b/Targets/Browsers/Chrome.tkape index ec17d8dad..0bb51d77f 100644 --- a/Targets/Browsers/Chrome.tkape +++ b/Targets/Browsers/Chrome.tkape @@ -201,6 +201,12 @@ Targets: Path: C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\ Recursive: true Comment: "Required for offline decryption" + - + Name: Chrome Snapshots Folder + Category: Communications + Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\Snapshots\*\ + Recursive: true + Comment: "Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #." # Documentation # https://nasbench.medium.com/web-browsers-forensics-7e99940c579a From 924d46012491b1a21f5a72878c105c9cf34099fd Mon Sep 17 00:00:00 2001 From: epoxigen <47720305+epoxigen@users.noreply.github.com> Date: Wed, 8 May 2024 17:47:32 +0200 Subject: [PATCH 063/146] Update SupremoRemoteDesktop.tkape Targets checked for accuracy with newest Supremo version 4.11.0.2490. Documentation and author privacy updated. --- Targets/Apps/SupremoRemoteDesktop.tkape | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Targets/Apps/SupremoRemoteDesktop.tkape b/Targets/Apps/SupremoRemoteDesktop.tkape index 58e35f7ee..b1cc6fe0d 100644 --- a/Targets/Apps/SupremoRemoteDesktop.tkape +++ b/Targets/Apps/SupremoRemoteDesktop.tkape @@ -1,6 +1,6 @@ Description: Supremo Remote Desktop Control Logs -Author: Sandro Heckendorn -Version: 1.0 +Author: epoxigen +Version: 1.1 Id: 0d88cf87-bbc5-4bcf-bb4f-2bc9a3e300f0 RecreateDirectories: true Targets: @@ -14,11 +14,13 @@ Targets: Name: Supremo File Transfer Inbox Category: Communications Path: C:\ProgramData\SupremoRemoteDesktop\Inbox - Comment: "Includes all files transferred to the inbox folder during a remote session" + Comment: "Includes files transferred to the inbox folder during a remote session. See Supremo.00.FileTransfer.log" # Documentation # https://www.supremocontrol.com/ # Supremo Remote Desktop is a Remote Access Tool similar to TeamViewer. # Supremo.00.Incoming.log is logging the incoming remote sessions. +# Supremo.00.ReportsQueue.log is logging device related information of remote sessions. # Supremo.00.Client.log is logging application events such as program start/exit and the client-server-connections to the Supremo servers. -# The Inbox is the destination folder for incoming transferred files and may contain evidence of malware when the software is misused for scams and other shenanigans. +# Supremo.00.FileTransfer.log is logging file transfers between remote sessions. +# Keep in mind: Files can be transferred to any location on the remote client, not only into the Inbox folder. From d12214218e06d94a9137317a88c2bcad49d80a5a Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Thu, 16 May 2024 15:28:00 +0200 Subject: [PATCH 064/146] Adding QlikSense and UEMS target files Seen in recent Cactus Ransomware attacks --- Targets/Apps/QlikSense.tkape | 46 ++++++++++++++++++++++++++++++++++++ Targets/Apps/UEMS.tkape | 29 +++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 Targets/Apps/QlikSense.tkape create mode 100644 Targets/Apps/UEMS.tkape diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape new file mode 100644 index 000000000..62ff5de96 --- /dev/null +++ b/Targets/Apps/QlikSense.tkape @@ -0,0 +1,46 @@ +Description: Qlik Sense +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 6e979be3-4913-4d16-a508-cc3284194c2b +RecreateDirectories: true +Targets: + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.txt' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Proxy + Recursive: true + FileMask: '*.log' + Comment: "Collects the proxy logs for Qlik Sense" + + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.txt' + Comment: "Collects the scheduler logs for Qlik Sense" + - + Name: Qlik Sense Logs + Category: Software + Path: C:\ProgramData\Qlik\Sense\Log\Scheduler + Recursive: true + FileMask: '*.log' + Comment: "Collects the scheduler logs for Qlik Sense" + +# Documentation +# Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. +# We have seen three vulnerabilites (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed qlik solution in recent Cactus Ransomware Campain : +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ +# You can find details on the full exploit here : +# https://www.praetorian.com/blog/qlik-sense-technical-exploit/ +# https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape new file mode 100644 index 000000000..e4a568efc --- /dev/null +++ b/Targets/Apps/UEMS.tkape @@ -0,0 +1,29 @@ +Description: UEMS Manage Engine Agent +Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND +Version: 1.0 +Id: 3ff43bb0-ac44-4374-ac4e-dbe104d81b60 +RecreateDirectories: true +Targets: + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects all logs for UEMS" + + - + Name: Unified endpoint management and security solutions from ManageEngine + Category: RMM Tool + Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs + Recursive: true + FileMask: '*.log' + Comment: "Collects Users logs for UEMS" + +# Documentation +# https://www.manageengine.com/unified-endpoint-management-security.html +# UEMS Manage Engine Agent is a remote acces tool part of the ManageEngine suite. +# We have observed this tool being deployed in recent Cactus ransomware Campaign : +# https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ +# https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ +# https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ From 6b2a77772b93af2f997a5f9598c2fe1e65f37411 Mon Sep 17 00:00:00 2001 From: cert-cwatch <149478619+cert-cwatch@users.noreply.github.com> Date: Thu, 16 May 2024 15:29:14 +0200 Subject: [PATCH 065/146] Update RemoteAdmin.tkape --- Targets/Compound/RemoteAdmin.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index c8939bfc0..1a71fbfbe 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -89,6 +89,10 @@ Targets: Name: TeamViewer Category: ApplicationLogs Path: TeamViewerLogs.tkape + - + Name: UEMS + Category: ApplicationLogs + Path: UEMS.tkape - Name: UltraViewer Category: ApplicationLogs From 677385f667a4cb74c5f3b294f7728c6afd1917c0 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 16 May 2024 10:28:56 -0400 Subject: [PATCH 066/146] Update QlikSense.tkape fix spelling, remove trailing spaces --- Targets/Apps/QlikSense.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/Apps/QlikSense.tkape b/Targets/Apps/QlikSense.tkape index 62ff5de96..b233eb1be 100644 --- a/Targets/Apps/QlikSense.tkape +++ b/Targets/Apps/QlikSense.tkape @@ -37,10 +37,10 @@ Targets: # Documentation # Qlik Sense is a powerful business intelligence solution that enables users to visualize and analyze complex data. -# We have seen three vulnerabilites (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed qlik solution in recent Cactus Ransomware Campain : +# We have seen three vulnerabilities (CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365) exploited on exposed Qlik solution in a recent Cactus Ransomware Campaign: # https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ # https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ # https://www.shadowserver.org/what-we-do/network-reporting/critical-vulnerable-compromised-qlik-sense-special-report/ -# You can find details on the full exploit here : +# You can find details on the full exploit here: # https://www.praetorian.com/blog/qlik-sense-technical-exploit/ # https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/ From d7cb1913e6cfc82c364300909f3d1e150ba5c2f8 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 16 May 2024 10:31:05 -0400 Subject: [PATCH 067/146] Update UEMS.tkape remove trailing spaces --- Targets/Apps/UEMS.tkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape index e4a568efc..1b80c2b8c 100644 --- a/Targets/Apps/UEMS.tkape +++ b/Targets/Apps/UEMS.tkape @@ -18,12 +18,12 @@ Targets: Path: C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs Recursive: true FileMask: '*.log' - Comment: "Collects Users logs for UEMS" + Comment: "Collects User logs for UEMS" # Documentation # https://www.manageengine.com/unified-endpoint-management-security.html -# UEMS Manage Engine Agent is a remote acces tool part of the ManageEngine suite. -# We have observed this tool being deployed in recent Cactus ransomware Campaign : +# UEMS Manage Engine Agent is a remote access tool in the ManageEngine suite. +# We have observed this tool being deployed in a recent Cactus ransomware Campaign: # https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ # https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ # https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ From b7bea3bc6e3dd15248390c9c759aa7976b852b91 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Mon, 20 May 2024 13:40:36 +0000 Subject: [PATCH 068/146] Delete Targets/Apps/Windows_Notepad.tkape --- Targets/Apps/Windows_Notepad.tkape | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 Targets/Apps/Windows_Notepad.tkape diff --git a/Targets/Apps/Windows_Notepad.tkape b/Targets/Apps/Windows_Notepad.tkape deleted file mode 100644 index ad6bfd0d5..000000000 --- a/Targets/Apps/Windows_Notepad.tkape +++ /dev/null @@ -1,15 +0,0 @@ -Description: Microsoft Windows 11 Notepad history -Author: Vito Alfano -Version: 1.0 -Id: 531d8631-b3ac-4bc2-b2e6-5f31442efb94 -RecreateDirectories: true -Targets: - - - Name: Notepad Tab State Folder - Category: App - Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\ - FileMask: "*.bin" - Comment: "Collecting Windows 11 Notepad tabs history files" - -# Documentation -# https://twitter.com/nas_bench/status/1725658060104913019 From a01f910661fb3e00710a59fa91be2df8f21594b3 Mon Sep 17 00:00:00 2001 From: ExeqZ Date: Sat, 25 May 2024 16:10:47 +0200 Subject: [PATCH 069/146] Update EdgeChromium.tkape Fix the Edge Cookie issue. the recursive does not help. Problem is Cookie file is in the Subfolder Network located --- Targets/Browsers/EdgeChromium.tkape | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Targets/Browsers/EdgeChromium.tkape b/Targets/Browsers/EdgeChromium.tkape index 1cc4d49f2..3828f1ac1 100644 --- a/Targets/Browsers/EdgeChromium.tkape +++ b/Targets/Browsers/EdgeChromium.tkape @@ -17,8 +17,7 @@ Targets: - Name: Edge Cookies Category: Communications - Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ - Recursive: true + Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Network FileMask: Cookies* - Name: Edge Current Session From 5ffb6d58f75b84355c5ed6bbbb50345eec58e896 Mon Sep 17 00:00:00 2001 From: 00gh <00gh> Date: Sun, 26 May 2024 21:20:50 +0200 Subject: [PATCH 070/146] Modules/Targets README.md: Compund => Compound This commit adds an 'o' to the word "Compund" to become "Compound" in two README.md files. --- Modules/README.md | 2 +- Targets/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/README.md b/Modules/README.md index 7bc777408..4e3b33ebe 100644 --- a/Modules/README.md +++ b/Modules/README.md @@ -8,7 +8,7 @@ The Apps folder contains Modules for all third-party applications. ### Compound -The Compund folder contains Modules that point to other Modules. +The Compound folder contains Modules that point to other Modules. ### EZTools diff --git a/Targets/README.md b/Targets/README.md index c514174a1..ef8c4dfe9 100644 --- a/Targets/README.md +++ b/Targets/README.md @@ -20,7 +20,7 @@ The Browsers folder contains Targets for web browsers. ### Compound -The Compund folder contains Targets that point to other Targets. +The Compound folder contains Targets that point to other Targets. ### Logs From 807edcfc43e8e9c3074c7ac0fd1678838767ee1f Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Tue, 4 Jun 2024 19:25:44 +1000 Subject: [PATCH 071/146] Copilot+ Recall --- Targets/Windows/WindowsCopilotRecall.tkape | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Targets/Windows/WindowsCopilotRecall.tkape diff --git a/Targets/Windows/WindowsCopilotRecall.tkape b/Targets/Windows/WindowsCopilotRecall.tkape new file mode 100644 index 000000000..23b33a5bc --- /dev/null +++ b/Targets/Windows/WindowsCopilotRecall.tkape @@ -0,0 +1,16 @@ +Description: Windows Copilot+ Recall +Author: Zach Stanford/Phill Moore +Version: 1.0 +Id: 333b716c-468e-48e7-960b-248526029dda +RecreateDirectories: true +Targets: + - + Name: Recall folder + Category: FileKnowledge + Path: C:\Users\*\AppData\Local\CoreAIPlatform.00\UKP\ + Recursive: true + + +# Documentation +# Files and folder related to Copilot+ Recall +# https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e \ No newline at end of file From 5c4d5cbf0ec7c052b0ad86ceb81f7aa6fe957ebf Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Tue, 4 Jun 2024 19:27:29 +1000 Subject: [PATCH 072/146] Update WindowsCopilotRecall.tkape lint stuff --- Targets/Windows/WindowsCopilotRecall.tkape | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Targets/Windows/WindowsCopilotRecall.tkape b/Targets/Windows/WindowsCopilotRecall.tkape index 23b33a5bc..39a3fa9ce 100644 --- a/Targets/Windows/WindowsCopilotRecall.tkape +++ b/Targets/Windows/WindowsCopilotRecall.tkape @@ -9,8 +9,7 @@ Targets: Category: FileKnowledge Path: C:\Users\*\AppData\Local\CoreAIPlatform.00\UKP\ Recursive: true - # Documentation # Files and folder related to Copilot+ Recall -# https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e \ No newline at end of file +# https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e From b5fd3f8c8e2a82cf945667cda434330923e772b3 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Wed, 5 Jun 2024 17:14:13 +0000 Subject: [PATCH 073/146] Update WindowsCopilotRecall.tkape --- Targets/Windows/WindowsCopilotRecall.tkape | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Targets/Windows/WindowsCopilotRecall.tkape b/Targets/Windows/WindowsCopilotRecall.tkape index 39a3fa9ce..9ebf96414 100644 --- a/Targets/Windows/WindowsCopilotRecall.tkape +++ b/Targets/Windows/WindowsCopilotRecall.tkape @@ -13,3 +13,5 @@ Targets: # Documentation # Files and folder related to Copilot+ Recall # https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e +# https://cybercx.com.au/blog/forensic-applications-of-microsoft-recall/ +# https://github.com/xaitax/TotalRecall From 3a2ece9a02343f469032bfb9fca4ea4b23b3022d Mon Sep 17 00:00:00 2001 From: Gos Date: Thu, 6 Jun 2024 14:46:05 +0200 Subject: [PATCH 074/146] Change --- Targets/Apps/MeshAgent.tkape | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 Targets/Apps/MeshAgent.tkape diff --git a/Targets/Apps/MeshAgent.tkape b/Targets/Apps/MeshAgent.tkape new file mode 100644 index 000000000..d851d7f81 --- /dev/null +++ b/Targets/Apps/MeshAgent.tkape @@ -0,0 +1,26 @@ +Description: MeshAgent log and configuration files +Author: Geir Olav Skei, Atea IRT +Version: 1.0 +Id: a96457f4-a65e-42bb-8bc8-6ac3df680689 +RecreateDirectories: true +Targets: + - + Name: MeshAgent .msh (configuration) file + Category: Apps + Path: C:\Program Files\Mesh Agent\ + Recursive: true + FileMask: "*.msh" + Comment: "Grabs all .msh (config) files present in this folder" + - + Name: MeshAgent log file + Category: Logs + Path: C:\Program Files\Mesh Agent\ + Recursive: true + FileMask: "*.log" + Comment: "Grabs all .log files present in this folder" + + +# Documentation +# https://github.com/Ylianst/MeshAgent +# https://ylianst.github.io/MeshCentral/meshcentral/agents/ +# https://meshcentral.com/ \ No newline at end of file From ce9bd84cf00247adbe1c075d27b31d194857dbbe Mon Sep 17 00:00:00 2001 From: Gos Date: Thu, 6 Jun 2024 14:46:41 +0200 Subject: [PATCH 075/146] Init --- Targets/Compound/RemoteAdmin.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index 1a71fbfbe..244cea2e5 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -40,6 +40,10 @@ Targets: Name: LogMeIn Category: ApplicationLogs Path: LogMeIn.tkape + - + Name: MeshAgent + Category: ApplicationLogs + Path: MeshAgent.tkape - Name: mRemoteNG Category: ApplicationLogs From 26424f892afe75fcab52fefed6393e7a7e1f3313 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 6 Jun 2024 21:47:18 -0400 Subject: [PATCH 076/146] Update MeshAgent.tkape linter fixes --- Targets/Apps/MeshAgent.tkape | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Targets/Apps/MeshAgent.tkape b/Targets/Apps/MeshAgent.tkape index d851d7f81..458c80838 100644 --- a/Targets/Apps/MeshAgent.tkape +++ b/Targets/Apps/MeshAgent.tkape @@ -19,8 +19,7 @@ Targets: FileMask: "*.log" Comment: "Grabs all .log files present in this folder" - # Documentation # https://github.com/Ylianst/MeshAgent # https://ylianst.github.io/MeshCentral/meshcentral/agents/ -# https://meshcentral.com/ \ No newline at end of file +# https://meshcentral.com/ From a68cb169444162ac9fbb782abb37c8a9ae74e282 Mon Sep 17 00:00:00 2001 From: mthcht Date: Sun, 9 Jun 2024 23:21:43 +0200 Subject: [PATCH 077/146] Update PushNotification.tkape --- Targets/Windows/PushNotification.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/Windows/PushNotification.tkape b/Targets/Windows/PushNotification.tkape index 180c78c0b..91bd4b9cb 100644 --- a/Targets/Windows/PushNotification.tkape +++ b/Targets/Windows/PushNotification.tkape @@ -7,12 +7,12 @@ Targets: - Name: WNS Category: WNS - Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\ + Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\ FileMask: appdb.dat - Name: WNS Category: WNS - Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\ + Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\ FileMask: wpndatabase.db # Documentation From ec02a8ab8ea24b326c1c58ed4b803eafef68dab7 Mon Sep 17 00:00:00 2001 From: sec-hbaer <150132280+sec-hbaer@users.noreply.github.com> Date: Tue, 11 Jun 2024 13:06:41 +0200 Subject: [PATCH 078/146] target for iconcachedb --- Targets/Windows/IconCacheDB.tkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Targets/Windows/IconCacheDB.tkape diff --git a/Targets/Windows/IconCacheDB.tkape b/Targets/Windows/IconCacheDB.tkape new file mode 100644 index 000000000..e716889ee --- /dev/null +++ b/Targets/Windows/IconCacheDB.tkape @@ -0,0 +1,15 @@ +Description: IconCache.db files +Author: Herbert Bärschneider @SEC Consult +Version: 1.0 +Id: 4e447ad0-4fda-44f6-9f82-1ae9ac47a8d4 +RecreateDirectories: true +Targets: + - + Name: Windows IconCache DB + Category: IconCache + Path: C:\Users\%user%\AppData\Local\ + FileMask: IconCache.db + +# Documentation +# https://www.sciencedirect.com/science/article/abs/pii/S1742287614000607 + From a87de5dcadfa47a9cd7968da0639a9cf06c053fc Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 11 Jun 2024 15:48:17 -0400 Subject: [PATCH 079/146] Update IconCacheDB.tkape --- Targets/Windows/IconCacheDB.tkape | 1 - 1 file changed, 1 deletion(-) diff --git a/Targets/Windows/IconCacheDB.tkape b/Targets/Windows/IconCacheDB.tkape index e716889ee..1af172457 100644 --- a/Targets/Windows/IconCacheDB.tkape +++ b/Targets/Windows/IconCacheDB.tkape @@ -12,4 +12,3 @@ Targets: # Documentation # https://www.sciencedirect.com/science/article/abs/pii/S1742287614000607 - From d38bc53961922193de8d7dc9ef4c5f9e24cc9006 Mon Sep 17 00:00:00 2001 From: "Thewes, Daniel" Date: Wed, 12 Jun 2024 15:47:33 +0200 Subject: [PATCH 080/146] Fixed double slash in ESET --- Targets/Antivirus/ESET.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Antivirus/ESET.tkape b/Targets/Antivirus/ESET.tkape index 197835fe2..a6c637444 100644 --- a/Targets/Antivirus/ESET.tkape +++ b/Targets/Antivirus/ESET.tkape @@ -33,7 +33,7 @@ Targets: - Name: SYSTEM user quarantine Category: Antivirus - Path: C:\\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\ + Path: C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\ Recursive: true # Documentation From 2f611d9257d7648658ea5554df2edcd64f1e99de Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Wed, 12 Jun 2024 23:15:55 +0900 Subject: [PATCH 081/146] Add the no wizard flag for new hayabusa version --- Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape index 6c0b4abc7..ada648cc6 100644 --- a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape +++ b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape @@ -1,14 +1,14 @@ Description: Hayabusa a timeline generator for Windows event logs - Live Category: EventLogs Author: Georg Lauenstein (sure[secure]) -Version: 1.4 +Version: 1.5 Id: 9696412c-c973-4fd4-a426-06318011b8ba BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases ExportFormat: csv Processors: - Executable: hayabusa\hayabusa.exe - CommandLine: csv-timeline --live-analysis --profile standard --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv + CommandLine: csv-timeline --live-analysis --profile standard -w --min-level medium --quiet --UTC -o %destinationDirectory%\hayabusa_events_live_system.csv ExportFormat: csv # Documentation @@ -16,4 +16,4 @@ Processors: # Place "zip archive" file into "Modules\bin\hayabusa" and unpack # rename the hayabusa executable to hayabusa.exe # You can delete all except: "config"; "rules" and the "hayabusa.exe" -# For more options use: hayabusa.exe help +# For more options use: hayabusa.exe help \ No newline at end of file From 195a6e6da9f7b5d71c59cd22ad84214cbfa3a003 Mon Sep 17 00:00:00 2001 From: "Thewes, Daniel" Date: Wed, 12 Jun 2024 16:53:35 +0200 Subject: [PATCH 082/146] Add wow64 systemprofile --- Targets/Windows/CertUtil.tkape | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Targets/Windows/CertUtil.tkape b/Targets/Windows/CertUtil.tkape index e7a207176..a5f2f519e 100644 --- a/Targets/Windows/CertUtil.tkape +++ b/Targets/Windows/CertUtil.tkape @@ -1,6 +1,6 @@ Description: Certutil -Author: NVISO (@NVISOsecurity) -Version: 1.0 +Author: NVISO (@NVISOsecurity), 2thewes +Version: 1.1 Id: ec903d15-64b5-4484-8786-94b2ad90bfb7 RecreateDirectories: true Targets: @@ -9,6 +9,11 @@ Targets: Category: FileKnowledge Path: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\ Recursive: true + - + Name: System WOW64 CryptnetUrlCache + Category: FileKnowledge + Path: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\ + Recursive: true - Name: User CryptnetUrlCache Category: FileKnowledge From 9cd7075179266b0e76ba51446837cb1569a27072 Mon Sep 17 00:00:00 2001 From: "Thewes, Daniel" Date: Wed, 12 Jun 2024 16:55:43 +0200 Subject: [PATCH 083/146] Add PS history for systemprofile --- Targets/Logs/PowerShellConsole.tkape | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Targets/Logs/PowerShellConsole.tkape b/Targets/Logs/PowerShellConsole.tkape index f2872ee00..908fdc341 100644 --- a/Targets/Logs/PowerShellConsole.tkape +++ b/Targets/Logs/PowerShellConsole.tkape @@ -1,6 +1,6 @@ Description: PowerShell Console Log File -Author: Mike Cary -Version: 1.1 +Author: Mike Cary, 2thewes +Version: 1.2 Id: efa4332a-89eb-430c-ab61-006a9e6620d7 RecreateDirectories: true Targets: @@ -9,6 +9,16 @@ Targets: Category: PowerShellConsoleLog Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ FileMask: '*_history.txt' + - + Name: PowerShell Console Log Systemprofile + Category: PowerShellConsoleLog + Path: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ + FileMask: '*_history.txt' + - + Name: PowerShell Console Log WOW64 Systemprofile + Category: PowerShellConsoleLog + Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ + FileMask: '*_history.txt' # Documentation # https://community.sophos.com/malware/b/blog/posts/powershell-command-history-forensics From 9a08dd2a56a8311ed5b869f8fff1440f2cf3db9e Mon Sep 17 00:00:00 2001 From: "Thewes, Daniel" Date: Wed, 12 Jun 2024 17:02:13 +0200 Subject: [PATCH 084/146] fixed indent --- Targets/Logs/PowerShellConsole.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Logs/PowerShellConsole.tkape b/Targets/Logs/PowerShellConsole.tkape index 908fdc341..dfe4e2d12 100644 --- a/Targets/Logs/PowerShellConsole.tkape +++ b/Targets/Logs/PowerShellConsole.tkape @@ -14,7 +14,7 @@ Targets: Category: PowerShellConsoleLog Path: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ FileMask: '*_history.txt' - - + - Name: PowerShell Console Log WOW64 Systemprofile Category: PowerShellConsoleLog Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ From ea776ec2e394887f2f178d4a646a886e89a31c56 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 13 Jun 2024 04:55:23 +0900 Subject: [PATCH 085/146] fix yaml-lint error --- Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape index ada648cc6..e1403027c 100644 --- a/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape +++ b/Modules/Apps/GitHub/Hayabusa/hayabusa_LiveResponse.mkape @@ -16,4 +16,4 @@ Processors: # Place "zip archive" file into "Modules\bin\hayabusa" and unpack # rename the hayabusa executable to hayabusa.exe # You can delete all except: "config"; "rules" and the "hayabusa.exe" -# For more options use: hayabusa.exe help \ No newline at end of file +# For more options use: hayabusa.exe help From 74423390a95fa71998ca63e4e7208b61e6a5278a Mon Sep 17 00:00:00 2001 From: Qazeer Date: Sat, 15 Jun 2024 23:21:10 +0200 Subject: [PATCH 086/146] Update PowerShell Transcripts default location --- Targets/Windows/PowerShellTranscripts.tkape | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Targets/Windows/PowerShellTranscripts.tkape b/Targets/Windows/PowerShellTranscripts.tkape index 7443b2b78..d4bc594c5 100644 --- a/Targets/Windows/PowerShellTranscripts.tkape +++ b/Targets/Windows/PowerShellTranscripts.tkape @@ -1,12 +1,17 @@ Description: PowerShell Transcripts Author: Andrew Rathbun and Chad Tilbury -Version: 1.0 +Version: 1.1 Id: 316cd490-7a40-4518-aade-1de070191f3d RecreateDirectories: true Targets: - Name: PowerShell Transcripts - Default Location Category: PowerShellTranscripts + Path: C:\Users\%user%\Documents\ + FileMask: 'PowerShell_transcript.*.txt' + - + Name: PowerShell Transcripts - Observed Location + Category: PowerShellTranscripts Path: C:\Users\%user%\Documents\20*\ FileMask: 'PowerShell_transcript.*.txt' - @@ -26,9 +31,11 @@ Targets: FileMask: 'PowerShell_transcript.*.txt' # Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript # https://lazyadmin.nl/powershell/start-transcript/ # https://www.stigviewer.com/stig/windows_10/2021-03-10/finding/V-230220 # https://www.itprotoday.com/powershell/how-use-automatic-powershell-transcription +# https://artefacts.help/windows_powershell_transcript.html # These logs appears when auditing is turned on via Group Policy or Start-Transcript is used during PowerShell execution # As more locations are observed, they will be added here -# Example location (default): c:\users\name\documents\20220301\PowerShell_transcript.DEVICENAME.qp9EOTN2.20220301132612.txt +# Example location: C:\Users\USERNAME\Documents\20220301\PowerShell_transcript.DEVICENAME.qp9EOTN2.20220301132612.txt From c6f0bbd14a318bbcfe4268b3c7d7c97e607759d5 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Sun, 16 Jun 2024 01:03:47 +0200 Subject: [PATCH 087/146] Add PowerShell Transcripts to combined logs --- Targets/Compound/CombinedLogs.tkape | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Targets/Compound/CombinedLogs.tkape b/Targets/Compound/CombinedLogs.tkape index ade49fa1b..97c92ff15 100644 --- a/Targets/Compound/CombinedLogs.tkape +++ b/Targets/Compound/CombinedLogs.tkape @@ -1,6 +1,6 @@ Description: Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs -Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target -Version: 1.2 +Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs and PowerShell Transcripts target +Version: 1.3 Id: d4fdd600-15b1-4b78-bc77-88e724861d8d RecreateDirectories: true Targets: @@ -16,6 +16,10 @@ Targets: Name: PowerShell Console Log Category: PowerShellConsoleLog Path: PowerShellConsole.tkape + - + Name: PowerShell Transcripts + Category: PowerShellTranscripts + Path: PowerShellTranscripts.tkape - Name: Windows Firewall Log Category: WindowsFirewallLogs @@ -32,3 +36,4 @@ Targets: # Documentation # v1.1 - Added the USBDevicelogs target # v1.2 - Added the .NET CLR UsageLogs target +# v1.3 - Added the PowerShell Transcripts target From 5a69ca47b749637e7f3466ea21b3ebd81ac82d7a Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Fri, 21 Jun 2024 21:52:01 -0400 Subject: [PATCH 088/146] Rename UsersFolders to UsersFolders.tkape --- Targets/Windows/{UsersFolders => UsersFolders.tkape} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Targets/Windows/{UsersFolders => UsersFolders.tkape} (100%) diff --git a/Targets/Windows/UsersFolders b/Targets/Windows/UsersFolders.tkape similarity index 100% rename from Targets/Windows/UsersFolders rename to Targets/Windows/UsersFolders.tkape From 17a70e65eb2dd34c9fb0ef65683833a0389b3686 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Sat, 22 Jun 2024 21:52:25 -0400 Subject: [PATCH 089/146] Update MFTECmd_$MFT_ProcessMFTSlack.mkape Fix the errant switch to `--rs`. Finally, this Module should be functional now! --- Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape b/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape index 8a622fcdd..90b3962f4 100644 --- a/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape +++ b/Modules/EZTools/MFTECmd/MFTECmd_$MFT_ProcessMFTSlack.mkape @@ -9,12 +9,12 @@ FileMask: $MFT Processors: - Executable: MFTECmd.exe - CommandLine: -f %sourceFile% --csv %destinationDirectory% -NEWSWITCH + CommandLine: -f %sourceFile% --csv %destinationDirectory% --rs ExportFormat: csv ExportFile: MFTFileSlack.txt - Executable: MFTECmd.exe - CommandLine: -f %sourceFile% --json %destinationDirectory% -NEWSWITCH + CommandLine: -f %sourceFile% --json %destinationDirectory% --rs ExportFormat: json ExportFile: MFTFileSlack.txt From 65451552eeae421077a629029fee84d5b57b06f5 Mon Sep 17 00:00:00 2001 From: 2thewes <48988711+2thewes@users.noreply.github.com> Date: Tue, 2 Jul 2024 14:18:03 +0200 Subject: [PATCH 090/146] Moved ExchangeTransport.tkape to Windows folder --- Targets/{Apps => Windows}/ExchangeTransport.tkape | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Targets/{Apps => Windows}/ExchangeTransport.tkape (100%) diff --git a/Targets/Apps/ExchangeTransport.tkape b/Targets/Windows/ExchangeTransport.tkape similarity index 100% rename from Targets/Apps/ExchangeTransport.tkape rename to Targets/Windows/ExchangeTransport.tkape From bf5d7e37fdfcdb3a4bdb07da3d74a280b37919e3 Mon Sep 17 00:00:00 2001 From: 2thewes <48988711+2thewes@users.noreply.github.com> Date: Tue, 2 Jul 2024 14:19:13 +0200 Subject: [PATCH 091/146] Add ExchangeSetup log --- Targets/Compound/Exchange.tkape | 6 +++++- Targets/Windows/ExchangeSetupLog.tkape | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 Targets/Windows/ExchangeSetupLog.tkape diff --git a/Targets/Compound/Exchange.tkape b/Targets/Compound/Exchange.tkape index 77b8d9dff..d17a3b15b 100644 --- a/Targets/Compound/Exchange.tkape +++ b/Targets/Compound/Exchange.tkape @@ -1,6 +1,6 @@ Description: Exchange Log Files Author: Keith Twombley -Version: 1.0 +Version: 1.1 Id: 1b54aafe-5074-4d45-b129-29107ce7f863 RecreateDirectories: true Targets: @@ -12,6 +12,10 @@ Targets: Name: Exchange TransportRoles log files Category: Logs Path: ExchangeTransport.tkape + - + Name: Exchange Setup log file + Category: Logs + Path: ExchangeSetupLog.tkape # Documentation # N/A diff --git a/Targets/Windows/ExchangeSetupLog.tkape b/Targets/Windows/ExchangeSetupLog.tkape new file mode 100644 index 000000000..782a50cdb --- /dev/null +++ b/Targets/Windows/ExchangeSetupLog.tkape @@ -0,0 +1,16 @@ +Description: Exchange Setup Log +Author: 2thewes +Version: 1.0 +Id: 8becbf27-06bf-460c-a582-868db54359bf +RecreateDirectories: true +Targets: + - + Name: Exchange Setup Log file + Category: Logs + Path: C:\ExchangeSetupLogs\ + FileMask: "ExchangeSetup.log" + Comment: "The Exchange Setup log tracks the progress of every task during the Exchange installation and configuration." + +# Documentation +# https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/verify-installation#review-the-windows-application-log-and-the-exchange-setup-log +# https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ From 275ac1d548cec4be56eff7fc6aa0a3b522ec52eb Mon Sep 17 00:00:00 2001 From: Geir Olav Skei <59265829+godstoge@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:12:29 +0200 Subject: [PATCH 092/146] Update UEMS.tkape Blog article about the log files --- Targets/Apps/UEMS.tkape | 1 + 1 file changed, 1 insertion(+) diff --git a/Targets/Apps/UEMS.tkape b/Targets/Apps/UEMS.tkape index 1b80c2b8c..f9e513189 100644 --- a/Targets/Apps/UEMS.tkape +++ b/Targets/Apps/UEMS.tkape @@ -27,3 +27,4 @@ Targets: # https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/ # https://www.bleepingcomputer.com/news/security/cactus-ransomware-exploiting-qlik-sense-flaws-to-breach-networks/ # https://www.cybersecuritydive.com/news/cactus-ransomware-qlik-sense-cves/714578/ +# https://www.linkedin.com/pulse/wheres-my-logs-uems-zoho-meeting-edition-geir-olav-skei-ua2rfv From 1eb5ed0d37554e55aebfdb6b161b00161ea579af Mon Sep 17 00:00:00 2001 From: Geir Olav Skei <59265829+godstoge@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:12:35 +0200 Subject: [PATCH 093/146] Update ZohoAssist.tkape Blog article about the log files --- Targets/Apps/ZohoAssist.tkape | 1 + 1 file changed, 1 insertion(+) diff --git a/Targets/Apps/ZohoAssist.tkape b/Targets/Apps/ZohoAssist.tkape index 0d590b5bf..88973c9b6 100644 --- a/Targets/Apps/ZohoAssist.tkape +++ b/Targets/Apps/ZohoAssist.tkape @@ -51,3 +51,4 @@ Targets: # Documentation # https://www.zoho.com/assist/kb/logs.html +# https://www.linkedin.com/pulse/wheres-my-logs-uems-zoho-meeting-edition-geir-olav-skei-ua2rf From d228510836f3dcad8bb53b592512912ec269601d Mon Sep 17 00:00:00 2001 From: Gos Date: Tue, 16 Jul 2024 14:52:06 +0200 Subject: [PATCH 094/146] MS --- Targets/Antivirus/MicrosoftSafetyScanner.tkape | 14 ++++++++++++++ Targets/Compound/Antivirus.tkape | 4 ++++ 2 files changed, 18 insertions(+) create mode 100644 Targets/Antivirus/MicrosoftSafetyScanner.tkape diff --git a/Targets/Antivirus/MicrosoftSafetyScanner.tkape b/Targets/Antivirus/MicrosoftSafetyScanner.tkape new file mode 100644 index 000000000..ae12db44c --- /dev/null +++ b/Targets/Antivirus/MicrosoftSafetyScanner.tkape @@ -0,0 +1,14 @@ +Description: Microsoft Safety Scanner +Author: Geir Olav Skei +Version: 1.0 +Id: 8e425594-c433-4017-adcd-f5bbcde12492 +RecreateDirectories: true +Targets: + - + Name: Windows Safety Scanner Logs + Category: Antivirus + Path: C:\Windows\Debug\ + FileMask: msert.log + +# Documentation +# https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download \ No newline at end of file diff --git a/Targets/Compound/Antivirus.tkape b/Targets/Compound/Antivirus.tkape index 8287b99c5..7e39cbdb0 100644 --- a/Targets/Compound/Antivirus.tkape +++ b/Targets/Compound/Antivirus.tkape @@ -60,6 +60,10 @@ Targets: Name: McAfee ePO Category: Antivirus Path: McAfee_ePO.tkape + - + Name: Microsoft Safety Scanner + Category: Antivirus + Path: MicrosoftSafetyScanner.tkape - Name: RogueKiller Category: Antivirus From ec99015d8d2de075ea535ba2125e57a0f0f03e73 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 16 Jul 2024 23:53:36 -0400 Subject: [PATCH 095/146] Update MicrosoftSafetyScanner.tkape add newline --- Targets/Antivirus/MicrosoftSafetyScanner.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Antivirus/MicrosoftSafetyScanner.tkape b/Targets/Antivirus/MicrosoftSafetyScanner.tkape index ae12db44c..413226e19 100644 --- a/Targets/Antivirus/MicrosoftSafetyScanner.tkape +++ b/Targets/Antivirus/MicrosoftSafetyScanner.tkape @@ -11,4 +11,4 @@ Targets: FileMask: msert.log # Documentation -# https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download \ No newline at end of file +# https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download From 20787abe3f0d65ba8ba80fda8afb091509cc746d Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Thu, 18 Jul 2024 16:24:57 +1000 Subject: [PATCH 096/146] Update WindowsDefender.tkape --- Targets/Antivirus/WindowsDefender.tkape | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Targets/Antivirus/WindowsDefender.tkape b/Targets/Antivirus/WindowsDefender.tkape index d93c821c6..e18d00f36 100644 --- a/Targets/Antivirus/WindowsDefender.tkape +++ b/Targets/Antivirus/WindowsDefender.tkape @@ -44,6 +44,11 @@ Targets: Category: Antivirus Path: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ Recursive: true + - + Name: Windows Defender Detections.log + Category: Antivirus + Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\ + FileMask: Detections.log # Documentation # https://knez.github.io/posts/how-to-extract-quarantine-files-from-windows-defender/ From 6268e1c0b289d46532e6e4bbe594efeb850e5af2 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 20 Jul 2024 22:24:39 +0100 Subject: [PATCH 097/146] Migrate RECmd_Kroll to RECmd_DFIRBatch --- Modules/Compound/!EZParser.mkape | 4 ++-- Modules/Compound/RECmd_AllBatchFiles.mkape | 4 ++-- .../RECmd/{RECmd_Kroll.mkape => RECmd_DFIRBatch.mkape} | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) rename Modules/EZTools/RECmd/{RECmd_Kroll.mkape => RECmd_DFIRBatch.mkape} (76%) diff --git a/Modules/Compound/!EZParser.mkape b/Modules/Compound/!EZParser.mkape index 3d083a7d5..61e0b4796 100644 --- a/Modules/Compound/!EZParser.mkape +++ b/Modules/Compound/!EZParser.mkape @@ -1,7 +1,7 @@ Description: Eric Zimmerman Parsers Category: Modules Author: Phill Moore -Version: 1.4 +Version: 1.5 Id: f531e7cc-c9f3-4d04-881b-dbc89d1e7f38 BinaryUrl: https://ericzimmerman.github.io/ ExportFormat: csv @@ -43,7 +43,7 @@ Processors: CommandLine: "" ExportFormat: "" - - Executable: RECmd_Kroll.mkape + Executable: RECmd_DFIRBatch.mkape CommandLine: "" ExportFormat: "" - diff --git a/Modules/Compound/RECmd_AllBatchFiles.mkape b/Modules/Compound/RECmd_AllBatchFiles.mkape index 43b7dda45..0b04319c3 100644 --- a/Modules/Compound/RECmd_AllBatchFiles.mkape +++ b/Modules/Compound/RECmd_AllBatchFiles.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: All RECmd Batch Output' Category: Registry Author: Andrew Rathbun -Version: 1.1 +Version: 1.2 Id: f2c9c95d-375e-4fb7-b069-7e9b95ea6db5 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip ExportFormat: csv @@ -23,7 +23,7 @@ Processors: CommandLine: "" ExportFormat: "" - - Executable: RECmd_Kroll.mkape + Executable: RECmd_DFIRBatch.mkape CommandLine: "" ExportFormat: "" - diff --git a/Modules/EZTools/RECmd/RECmd_Kroll.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape similarity index 76% rename from Modules/EZTools/RECmd/RECmd_Kroll.mkape rename to Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index 6b76adc20..16c199ab1 100644 --- a/Modules/EZTools/RECmd/RECmd_Kroll.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -1,14 +1,14 @@ -Description: 'RECmd: Kroll' +Description: 'RECmd: DFIR' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 26e4a8f6-d745-4195-8b8e-563cf32a4952 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv Processors: - Executable: RECmd\RECmd.exe - CommandLine: -d %sourceDirectory% --bn BatchExamples\Kroll_Batch.reb --nl false --csv %destinationDirectory% + CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv # Documentation @@ -20,5 +20,5 @@ Processors: # https://www.youtube.com/watch?v=tk9XsMHzPlM # https://www.youtube.com/watch?v=GhCZfCzn2l0 # https://leanpub.com/eztoolsmanuals -# Uses the Kroll batch command file. This file should reside within KAPE\Module\bin\RECmd\BatchExamples. +# Uses the DFIR batch command file. This file should reside within KAPE\Module\bin\RECmd\BatchExamples. # Note: --nl false replays transaction logs. If you don't want to replay transaction logs, change to --nl true. From 2e4608dd625378f836bffa84bd7e06c56bb11002 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 3 Aug 2024 14:22:43 +0100 Subject: [PATCH 098/146] Add additional FileMask to MFTECmd_$J.mkape --- Modules/EZTools/MFTECmd/MFTECmd_$J.mkape | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape b/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape index c622cda99..451c266d9 100644 --- a/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape +++ b/Modules/EZTools/MFTECmd/MFTECmd_$J.mkape @@ -1,11 +1,11 @@ Description: 'MFTECmd: process $J / $UsnJrnl$J files' Category: FileSystem -Author: Eric Zimmerman, Thomas DIOT -Version: 1.1 +Author: Eric Zimmerman, Thomas DIOT, Reece394 +Version: 1.2 Id: 5ef67a6b-5895-46bb-af2a-3339a3227e25 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/MFTECmd.zip ExportFormat: csv -FileMask: '$UsnJrnl%3A$J|$J|UsnJrnl-J' +FileMask: '$UsnJrnl%3A$J|$J|UsnJrnl-J|$UsnJrnl_*.bin' Processors: - Executable: MFTECmd.exe From 17c18772b31b7ad330876e5efeba1b4f066b1582 Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Fri, 16 Aug 2024 20:15:06 +1000 Subject: [PATCH 099/146] add block parser --- Modules/Apps/block-parser-zipped.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/block-parser-zipped.mkape diff --git a/Modules/Apps/block-parser-zipped.mkape b/Modules/Apps/block-parser-zipped.mkape new file mode 100644 index 000000000..af92c7c65 --- /dev/null +++ b/Modules/Apps/block-parser-zipped.mkape @@ -0,0 +1,15 @@ +Description: Block Parser Zipped +Category: EventLogs +Author: Phill Moore +Version: 1.0 +Id: cb817a29-bab0-4051-ac7d-7019d6e2ac65 +BinaryUrl: https://github.com/randomaccess3/block-parser +ExportFormat: zip +Processors: + - + Executable: block-parser.exe + CommandLine: -o %destinationDirectory% -z "%sourceDirectory%\Windows\system32\winevt\logs\Microsoft-Windows-PowerShell%4Operational.evtx + ExportFormat: zip + +# Documentation +# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html \ No newline at end of file From f7237d4df0fee56326e80a5811120fa762ac8098 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Fri, 16 Aug 2024 08:09:54 -0400 Subject: [PATCH 100/146] Update block-parser-zipped.mkape add newline --- Modules/Apps/block-parser-zipped.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/block-parser-zipped.mkape b/Modules/Apps/block-parser-zipped.mkape index af92c7c65..013a188aa 100644 --- a/Modules/Apps/block-parser-zipped.mkape +++ b/Modules/Apps/block-parser-zipped.mkape @@ -12,4 +12,4 @@ Processors: ExportFormat: zip # Documentation -# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html \ No newline at end of file +# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html From 59a458660250405215c87929c00d06429d394928 Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Sat, 17 Aug 2024 23:06:05 +1000 Subject: [PATCH 101/146] Add itarian --- Targets/Apps/ITarian.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 Targets/Apps/ITarian.yml diff --git a/Targets/Apps/ITarian.yml b/Targets/Apps/ITarian.yml new file mode 100644 index 000000000..66bd003a3 --- /dev/null +++ b/Targets/Apps/ITarian.yml @@ -0,0 +1,30 @@ +Description: ITarian RMM +Author: Phill Moore +Version: 1.0 +Id: aa387dbf-3326-a9c7-4d61-7d62197341a3 +RecreateDirectories: true +Targets: + - + Name: ITarian + Category: Apps + Path: C:\Program Files\ITarian\Endpoint Manager\rmmlogs + Comment: "" + - + Name: ITarian + Category: Apps + Path: C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs + Comment: "" + - + Name: Comodo + Category: Apps + Path: C:\Program Files\Comodo\Endpoint Manager\rmmlogs + Comment: "" + - + Name: ITarian + Category: Apps + Path: C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs + Comment: "" + + +# Documentation +# https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader \ No newline at end of file From b14d3a1926ad929d6a478d8e2022672f8823e5bc Mon Sep 17 00:00:00 2001 From: Phill Moore Date: Sat, 17 Aug 2024 23:07:13 +1000 Subject: [PATCH 102/146] Update RemoteAdmin.tkape --- Targets/Compound/RemoteAdmin.tkape | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape index 244cea2e5..1dc0e44b1 100644 --- a/Targets/Compound/RemoteAdmin.tkape +++ b/Targets/Compound/RemoteAdmin.tkape @@ -1,6 +1,6 @@ Description: Composite target for files related to remote administration tools -Author: Drew Ervin, Mathias Frank, Andrew Rathbun -Version: 1.9 +Author: Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore +Version: 2.0 Id: 31cf5a4e-c44c-4457-b11f-74dca73e141b RecreateDirectories: true Targets: @@ -28,6 +28,10 @@ Targets: Name: ISLOnline Category: ApplicationLogs Path: ISLOnline.tkape + - + Name: ITarian + Category: ApplicationLogs + Path: ITarian.tkape - Name: Kaseya Category: ApplicationLogs From 4c7179aff959acd050b8df8c0467a36aede58b8d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Sat, 17 Aug 2024 11:17:53 -0400 Subject: [PATCH 103/146] Update ITarian.yml linter fixes --- Targets/Apps/ITarian.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Targets/Apps/ITarian.yml b/Targets/Apps/ITarian.yml index 66bd003a3..c2ed4aedd 100644 --- a/Targets/Apps/ITarian.yml +++ b/Targets/Apps/ITarian.yml @@ -25,6 +25,5 @@ Targets: Path: C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs Comment: "" - # Documentation -# https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader \ No newline at end of file +# https://russianpanda.com/The-Abuse-of-ITarian-RMM-by-Dolphin-Loader From aadacc78dd26924bc432cdd592d5f956f355a894 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Sat, 17 Aug 2024 11:18:22 -0400 Subject: [PATCH 104/146] Rename ITarian.yml to ITarian.tkape --- Targets/Apps/{ITarian.yml => ITarian.tkape} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Targets/Apps/{ITarian.yml => ITarian.tkape} (100%) diff --git a/Targets/Apps/ITarian.yml b/Targets/Apps/ITarian.tkape similarity index 100% rename from Targets/Apps/ITarian.yml rename to Targets/Apps/ITarian.tkape From 012507d668c5e9f2ef1ae31c85e01f274f6da672 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 17 Aug 2024 19:43:32 +0100 Subject: [PATCH 105/146] Fixes Block Parser to be path independent --- Modules/Apps/block-parser-zipped.mkape | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Modules/Apps/block-parser-zipped.mkape b/Modules/Apps/block-parser-zipped.mkape index 013a188aa..d5351e224 100644 --- a/Modules/Apps/block-parser-zipped.mkape +++ b/Modules/Apps/block-parser-zipped.mkape @@ -1,14 +1,15 @@ Description: Block Parser Zipped Category: EventLogs -Author: Phill Moore -Version: 1.0 +Author: Phill Moore, Reece394 +Version: 1.1 Id: cb817a29-bab0-4051-ac7d-7019d6e2ac65 BinaryUrl: https://github.com/randomaccess3/block-parser +FileMask: "Microsoft-Windows-PowerShell%4Operational.evtx" ExportFormat: zip Processors: - Executable: block-parser.exe - CommandLine: -o %destinationDirectory% -z "%sourceDirectory%\Windows\system32\winevt\logs\Microsoft-Windows-PowerShell%4Operational.evtx + CommandLine: -o %destinationDirectory% -z %sourceFile% ExportFormat: zip # Documentation From 98841dc55bb3fb6744e6f17275a54c6c2fcb1613 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:48:15 +0200 Subject: [PATCH 106/146] Session App Kape Module --- Targets/Apps/Session.tkape | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Targets/Apps/Session.tkape diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape new file mode 100644 index 000000000..b9950a8ca --- /dev/null +++ b/Targets/Apps/Session.tkape @@ -0,0 +1,16 @@ +Description: Session Desktop +Author: Vito Alfano +Version: 1.0 +Id: c6633dbf-caea-48dc-90a0-25add823134d +RecreateDirectories: true +Targets: + - + Name: Session App Folder + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Session\ + Recursive: true + Comment: "Telegram app folder structure" + + +# +# From a46b7806e45faff391b8e6184799fca0164a5800 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:50:29 +0200 Subject: [PATCH 107/146] Session Desktop App module --- Targets/Apps/Session.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape index b9950a8ca..d1ec37d2e 100644 --- a/Targets/Apps/Session.tkape +++ b/Targets/Apps/Session.tkape @@ -9,7 +9,7 @@ Targets: Category: Apps Path: C:\Users\%user%\AppData\Roaming\Session\ Recursive: true - Comment: "Telegram app folder structure" + Comment: "Session App Folder" # From ddd669884c5cd954a7fd073f6aeb4a968b7b30ed Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:52:03 +0200 Subject: [PATCH 108/146] Delete Targets/Apps/Session.tkape --- Targets/Apps/Session.tkape | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 Targets/Apps/Session.tkape diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape deleted file mode 100644 index d1ec37d2e..000000000 --- a/Targets/Apps/Session.tkape +++ /dev/null @@ -1,16 +0,0 @@ -Description: Session Desktop -Author: Vito Alfano -Version: 1.0 -Id: c6633dbf-caea-48dc-90a0-25add823134d -RecreateDirectories: true -Targets: - - - Name: Session App Folder - Category: Apps - Path: C:\Users\%user%\AppData\Roaming\Session\ - Recursive: true - Comment: "Session App Folder" - - -# -# From edc3bf78183cb34460526a85d707a35cc0c98f08 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:53:18 +0200 Subject: [PATCH 109/146] Session Desktop Kape Target Module --- Targets/Apps/Session.tkape | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Targets/Apps/Session.tkape diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape new file mode 100644 index 000000000..d1ec37d2e --- /dev/null +++ b/Targets/Apps/Session.tkape @@ -0,0 +1,16 @@ +Description: Session Desktop +Author: Vito Alfano +Version: 1.0 +Id: c6633dbf-caea-48dc-90a0-25add823134d +RecreateDirectories: true +Targets: + - + Name: Session App Folder + Category: Apps + Path: C:\Users\%user%\AppData\Roaming\Session\ + Recursive: true + Comment: "Session App Folder" + + +# +# From 3057e89870f3503e857a8c64583dd7929637138a Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:56:06 +0200 Subject: [PATCH 110/146] Update Session.tkape --- Targets/Apps/Session.tkape | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape index d1ec37d2e..0dca1b80d 100644 --- a/Targets/Apps/Session.tkape +++ b/Targets/Apps/Session.tkape @@ -10,7 +10,5 @@ Targets: Path: C:\Users\%user%\AppData\Roaming\Session\ Recursive: true Comment: "Session App Folder" - - -# +# # From 349ac80ef49bb7041faeaec4df63f640232cd048 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sun, 25 Aug 2024 00:58:40 +0200 Subject: [PATCH 111/146] Session Desktop App target --- Targets/Apps/Session.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape index 0dca1b80d..31ec2da86 100644 --- a/Targets/Apps/Session.tkape +++ b/Targets/Apps/Session.tkape @@ -10,5 +10,5 @@ Targets: Path: C:\Users\%user%\AppData\Roaming\Session\ Recursive: true Comment: "Session App Folder" + # -# From 1d6230ba2ffc13a907b8c12779780f214c740f41 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Sat, 24 Aug 2024 21:05:33 -0400 Subject: [PATCH 112/146] Update Session.tkape --- Targets/Apps/Session.tkape | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Targets/Apps/Session.tkape b/Targets/Apps/Session.tkape index 31ec2da86..530c1dbf1 100644 --- a/Targets/Apps/Session.tkape +++ b/Targets/Apps/Session.tkape @@ -11,4 +11,5 @@ Targets: Recursive: true Comment: "Session App Folder" -# +# Documentation +# N/A From 1b2968c718b483c5cb405d61ed03b68658b5ae0b Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 18:58:43 +0000 Subject: [PATCH 113/146] Winscp Session registry key extraction module Module to extract WinScp sessions registry key to be decrypted with https://github.com/XMCyber/XMCredentialsDecryptor --- Modules/Apps/WinSCP_Session.mkape | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 Modules/Apps/WinSCP_Session.mkape diff --git a/Modules/Apps/WinSCP_Session.mkape b/Modules/Apps/WinSCP_Session.mkape new file mode 100644 index 000000000..477dcc164 --- /dev/null +++ b/Modules/Apps/WinSCP_Session.mkape @@ -0,0 +1,17 @@ +Description: Module to extract a copy of WinSCP encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: e00dac99-3a59-4c59-911c-95eda1769250 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions" %destinationDirectory%\winscp2_sessions_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor + + From b3af77ec68c77bb354a6d9bd643e75fdc984ac30 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:04:36 +0000 Subject: [PATCH 114/146] Update WinSCP_Session.mkape --- Modules/Apps/WinSCP_Session.mkape | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Modules/Apps/WinSCP_Session.mkape b/Modules/Apps/WinSCP_Session.mkape index 477dcc164..6629e04af 100644 --- a/Modules/Apps/WinSCP_Session.mkape +++ b/Modules/Apps/WinSCP_Session.mkape @@ -1,4 +1,4 @@ -Description: Module to extract a copy of WinSCP encrypted credentials +Description: Module to extract a copy of WinSCP encrypted credentials Category: Live Response Author: Vito Alfano Version: 1.0 @@ -13,5 +13,3 @@ Processors: # Documentation # https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ # https://github.com/XMCyber/XMCredentialsDecryptor - - From bd5669709c6f177002185b18f999be71449aaf9c Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:06:46 +0000 Subject: [PATCH 115/146] Module to extract MobaXterm Master Password Module to extract MobaXterm Master Password to be decrypted with https://github.com/XMCyber/XMCredentialsDecryptor --- Modules/Apps/MobaXterm_Master_Pass.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Master_Pass.mkape diff --git a/Modules/Apps/MobaXterm_Master_Pass.mkape b/Modules/Apps/MobaXterm_Master_Pass.mkape new file mode 100644 index 000000000..002721495 --- /dev/null +++ b/Modules/Apps/MobaXterm_Master_Pass.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted master password +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 4ca41e3e-918e-419f-b7cf-22a8cdb1da0f +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\M" %destinationDirectory%\Mobaterm_MasterPass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From 4ec6ad387a73a7240b331609312da08b728b7f21 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:08:06 +0000 Subject: [PATCH 116/146] Update MobaXterm_Master_Pass.mkape Fixed Typo error --- Modules/Apps/MobaXterm_Master_Pass.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/MobaXterm_Master_Pass.mkape b/Modules/Apps/MobaXterm_Master_Pass.mkape index 002721495..95e8a4af4 100644 --- a/Modules/Apps/MobaXterm_Master_Pass.mkape +++ b/Modules/Apps/MobaXterm_Master_Pass.mkape @@ -1,4 +1,4 @@ -Description: Module to extract a copy of MobaXterm encrypted master password +Description: Module to extract a copy of MobaXterm encrypted master password Category: Live Response Author: Vito Alfano Version: 1.0 From 627e86b57aa34bfc88b1a7fd792039c796c7ceef Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:15:33 +0000 Subject: [PATCH 117/146] Module MobaXTerm Password Extraction --- Modules/Apps/MobaXterm_Passwords_key.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Passwords_key.mkape diff --git a/Modules/Apps/MobaXterm_Passwords_key.mkape b/Modules/Apps/MobaXterm_Passwords_key.mkape new file mode 100644 index 000000000..43e39b0b3 --- /dev/null +++ b/Modules/Apps/MobaXterm_Passwords_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted passwords +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: a7473175-e108-4b93-81cb-49c6e7d37ff9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\Mobaterm_Pass_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From a969752598bf692532cb419e6d0f21df8694185d Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:17:11 +0000 Subject: [PATCH 118/146] Module MobaXTerm Credentials Extraction --- Modules/Apps/MobaXterm_Credentials_key.mkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Modules/Apps/MobaXterm_Credentials_key.mkape diff --git a/Modules/Apps/MobaXterm_Credentials_key.mkape b/Modules/Apps/MobaXterm_Credentials_key.mkape new file mode 100644 index 000000000..930d8fa11 --- /dev/null +++ b/Modules/Apps/MobaXterm_Credentials_key.mkape @@ -0,0 +1,15 @@ +Description: Module to extract a copy of MobaXterm encrypted credentials +Category: Live Response +Author: Vito Alfano +Version: 1.0 +Id: 1dc46684-fee1-40ab-9a25-216ec41df4a9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\cmd.exe + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\C" %destinationDirectory%\MobaXterm_Credentials_key.txt + ExportFormat: txt + +# Documentation +# https://xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/ +# https://github.com/XMCyber/XMCredentialsDecryptor From 20c2ef24f3506b519cc7f97002d40fdd156359e1 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Sat, 31 Aug 2024 19:18:08 +0000 Subject: [PATCH 119/146] Update MobaXterm_Passwords_key.mkape Fix Typo Error --- Modules/Apps/MobaXterm_Passwords_key.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/MobaXterm_Passwords_key.mkape b/Modules/Apps/MobaXterm_Passwords_key.mkape index 43e39b0b3..22c7ccfe7 100644 --- a/Modules/Apps/MobaXterm_Passwords_key.mkape +++ b/Modules/Apps/MobaXterm_Passwords_key.mkape @@ -7,7 +7,7 @@ ExportFormat: txt Processors: - Executable: C:\Windows\System32\cmd.exe - CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\Mobaterm_Pass_key.txt + CommandLine: /c reg export "HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P" %destinationDirectory%\MobaXterm_Pass_key.txt ExportFormat: txt # Documentation From 9ec122c2e488de3e8048fa6c9dff842f99084d00 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 31 Aug 2024 21:25:22 +0100 Subject: [PATCH 120/146] Add ConsoleLog for RECmd --- Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_UserActivity.mkape | 3 ++- Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape | 3 ++- 13 files changed, 26 insertions(+), 13 deletions(-) diff --git a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape index 0b8715206..568663634 100644 --- a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape +++ b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: AllRegExecutablesFoundOrRun' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 23cfcb78-60bb-4b2a-a7a4-b256f42fb83b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\AllRegExecutablesFoundOrRun.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape index 706be36e2..9d929c32c 100644 --- a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape +++ b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: BCDBootVolume' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 4de3e322-491d-44a2-a870-edf0387b41b4 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BCDBootVolume.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape index 0645e0f8f..477b3b5c5 100644 --- a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape +++ b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: BasicSystemInfo' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: e6da3300-447a-4912-9689-7d0679cae71b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BasicSystemInfo.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index 16c199ab1..12e859e50 100644 --- a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: DFIR' Category: Registry Author: Andrew Rathbun -Version: 1.1 +Version: 1.2 Id: 26e4a8f6-d745-4195-8b8e-563cf32a4952 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape index 1eb64f35e..d6f98f7c6 100644 --- a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape +++ b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: InstalledSoftware' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 82d89b1d-19c1-439b-a30d-2f8659adf691 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\InstalledSoftware.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape index 6179a714b..9e31af54b 100644 --- a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape +++ b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: RECmd_Batch_MC' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 8690f004-a406-40c9-b566-2fdf5f106209 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RECmd_Batch_MC.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape index 80199e0e7..13760c24b 100644 --- a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: RegistryASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 176dd6af-4077-42ee-af03-1020768149ff BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RegistryASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape index 1d9f7879d..53bcb64ea 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 193817d5-85a1-4dbb-b8e0-61693d2deebc BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape index d62561d57..fabf9622d 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareClassesASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 0e38b045-6512-41c2-962f-49a9da37b02f BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape index dc0c5ccf9..47c909149 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SoftwareWoW6432ASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 63e39ae3-63c3-44c8-86ac-fb7ac4365d7b BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareWoW6432ASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape index 2a3114283..be0f61bac 100644 --- a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: SystemASEPs' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 3ef19b6e-3489-44ee-a5fa-0245fd54ecd1 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SystemASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape index 1577cd6d6..e3849a714 100644 --- a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: UserActivity' Category: Registry Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 05db97da-327b-46d0-942c-a468c087c09c BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserActivity.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape index edd8f20e0..ae2a0b8fa 100644 --- a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape @@ -1,7 +1,7 @@ Description: 'RECmd: UserClassesASEPs' Category: Registry Author: Andreas Hunkeler (@Karneades) -Version: 1.0 +Version: 1.1 Id: df3d2d54-dda9-49fb-a427-c9d8348b375d BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/RECmd.zip ExportFormat: csv @@ -10,6 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv + ExportFile: RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd From 5d26ad1d8439ce9a7aaa317c4e6ef25c73279be7 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 31 Aug 2024 23:33:01 +0100 Subject: [PATCH 121/146] Make ExportFile Names Unique --- Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape | 2 +- Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape | 2 +- Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserActivity.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape index 568663634..7db253c0e 100644 --- a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape +++ b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\AllRegExecutablesFoundOrRun.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_AllRegExecutablesFoundOrRun_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape index 9d929c32c..7bd8273e2 100644 --- a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape +++ b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BCDBootVolume.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_BCDBootVolume_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape index 477b3b5c5..0182a3a02 100644 --- a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape +++ b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BasicSystemInfo.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_BasicSystemInfo_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index 12e859e50..e8a9662f3 100644 --- a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_DFIRBatch_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape index d6f98f7c6..78afa9949 100644 --- a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape +++ b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\InstalledSoftware.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_InstalledSoftware_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape index 9e31af54b..0b01eca10 100644 --- a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape +++ b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RECmd_Batch_MC.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_RECmd_Batch_MC_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape index 13760c24b..f4121fd85 100644 --- a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RegistryASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_RegistryASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape index 53bcb64ea..aa47c2d37 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_SoftwareASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape index fabf9622d..d09521c95 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_SoftwareClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape index 47c909149..e2855a1fc 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareWoW6432ASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_SoftwareWoW6432ASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape index be0f61bac..533cb6acb 100644 --- a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SystemASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_SystemASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape index e3849a714..996cc74af 100644 --- a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserActivity.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_UserActivity_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape index ae2a0b8fa..366e7a652 100644 --- a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmdConsoleLog.txt + ExportFile: %d%_UserClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd From 788ebb92285680dec79e3d70226a4799cb8bc305 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 31 Aug 2024 23:38:29 +0100 Subject: [PATCH 122/146] Attempt to fix Lint --- Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape | 2 +- Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape | 2 +- Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserActivity.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape index 7db253c0e..19372abe5 100644 --- a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape +++ b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\AllRegExecutablesFoundOrRun.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_AllRegExecutablesFoundOrRun_RECmdConsoleLog.txt + ExportFile: AllRegExecutablesFoundOrRun_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape index 7bd8273e2..8e158ea64 100644 --- a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape +++ b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BCDBootVolume.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_BCDBootVolume_RECmdConsoleLog.txt + ExportFile: BCDBootVolume_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape index 0182a3a02..77850685f 100644 --- a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape +++ b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BasicSystemInfo.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_BasicSystemInfo_RECmdConsoleLog.txt + ExportFile: BasicSystemInfo_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index e8a9662f3..7302ed190 100644 --- a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_DFIRBatch_RECmdConsoleLog.txt + ExportFile: DFIRBatch_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape index 78afa9949..aec8bdea2 100644 --- a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape +++ b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\InstalledSoftware.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_InstalledSoftware_RECmdConsoleLog.txt + ExportFile: InstalledSoftware_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape index 0b01eca10..8240d85aa 100644 --- a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape +++ b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RECmd_Batch_MC.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_RECmd_Batch_MC_RECmdConsoleLog.txt + ExportFile: RECmd_Batch_MC_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape index f4121fd85..d2cbac9fa 100644 --- a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RegistryASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_RegistryASEPs_RECmdConsoleLog.txt + ExportFile: RegistryASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape index aa47c2d37..a9b908714 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_SoftwareASEPs_RECmdConsoleLog.txt + ExportFile: SoftwareASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape index d09521c95..a83a47d7e 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_SoftwareClassesASEPs_RECmdConsoleLog.txt + ExportFile: SoftwareClassesASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape index e2855a1fc..858fce704 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareWoW6432ASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_SoftwareWoW6432ASEPs_RECmdConsoleLog.txt + ExportFile: SoftwareWoW6432ASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape index 533cb6acb..7ed42cbd2 100644 --- a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SystemASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_SystemASEPs_RECmdConsoleLog.txt + ExportFile: SystemASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape index 996cc74af..40ca4bc23 100644 --- a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserActivity.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_UserActivity_RECmdConsoleLog.txt + ExportFile: UserActivity_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape index 366e7a652..3c65070dd 100644 --- a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: %d%_UserClassesASEPs_RECmdConsoleLog.txt + ExportFile: UserClassesASEPs_RECmdConsoleLog_%d%.txt # Documentation # https://github.com/EricZimmerman/RECmd From 8bc19cb19be2380142a699ae2c28cd0cdebc1455 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Sat, 31 Aug 2024 23:59:42 +0100 Subject: [PATCH 123/146] Revert %d% --- Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape | 2 +- Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape | 2 +- Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape | 2 +- Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape | 2 +- Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserActivity.mkape | 2 +- Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape index 19372abe5..b956b2ba1 100644 --- a/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape +++ b/Modules/EZTools/RECmd/RECmd_AllRegExecutablesFoundOrRun.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\AllRegExecutablesFoundOrRun.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: AllRegExecutablesFoundOrRun_RECmdConsoleLog_%d%.txt + ExportFile: AllRegExecutablesFoundOrRun_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape index 8e158ea64..6e3bf6802 100644 --- a/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape +++ b/Modules/EZTools/RECmd/RECmd_BCDBootVolume.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BCDBootVolume.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: BCDBootVolume_RECmdConsoleLog_%d%.txt + ExportFile: BCDBootVolume_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape index 77850685f..dbd800d4f 100644 --- a/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape +++ b/Modules/EZTools/RECmd/RECmd_BasicSystemInfo.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\BasicSystemInfo.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: BasicSystemInfo_RECmdConsoleLog_%d%.txt + ExportFile: BasicSystemInfo_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape index 7302ed190..1b3092068 100644 --- a/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape +++ b/Modules/EZTools/RECmd/RECmd_DFIRBatch.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\DFIRBatch.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: DFIRBatch_RECmdConsoleLog_%d%.txt + ExportFile: DFIRBatch_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape index aec8bdea2..fb1dac705 100644 --- a/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape +++ b/Modules/EZTools/RECmd/RECmd_InstalledSoftware.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\InstalledSoftware.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: InstalledSoftware_RECmdConsoleLog_%d%.txt + ExportFile: InstalledSoftware_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape index 8240d85aa..4944e8d0c 100644 --- a/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape +++ b/Modules/EZTools/RECmd/RECmd_RECmd_Batch_MC.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RECmd_Batch_MC.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RECmd_Batch_MC_RECmdConsoleLog_%d%.txt + ExportFile: RECmd_Batch_MC_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape index d2cbac9fa..fe4b4a97d 100644 --- a/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_RegistryASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\RegistryASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: RegistryASEPs_RECmdConsoleLog_%d%.txt + ExportFile: RegistryASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape index a9b908714..d052a5671 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: SoftwareASEPs_RECmdConsoleLog_%d%.txt + ExportFile: SoftwareASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape index a83a47d7e..760064c86 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: SoftwareClassesASEPs_RECmdConsoleLog_%d%.txt + ExportFile: SoftwareClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape index 858fce704..611780c62 100644 --- a/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SoftwareWoW6432ASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SoftwareWoW6432ASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: SoftwareWoW6432ASEPs_RECmdConsoleLog_%d%.txt + ExportFile: SoftwareWoW6432ASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape index 7ed42cbd2..11c43f058 100644 --- a/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_SystemASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\SystemASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: SystemASEPs_RECmdConsoleLog_%d%.txt + ExportFile: SystemASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape index 40ca4bc23..43eb5a022 100644 --- a/Modules/EZTools/RECmd/RECmd_UserActivity.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserActivity.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserActivity.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: UserActivity_RECmdConsoleLog_%d%.txt + ExportFile: UserActivity_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd diff --git a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape index 3c65070dd..38ca56b10 100644 --- a/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape +++ b/Modules/EZTools/RECmd/RECmd_UserClassesASEPs.mkape @@ -10,7 +10,7 @@ Processors: Executable: RECmd\RECmd.exe CommandLine: -d %sourceDirectory% --bn BatchExamples\UserClassesASEPs.reb --nl false --csv %destinationDirectory% ExportFormat: csv - ExportFile: UserClassesASEPs_RECmdConsoleLog_%d%.txt + ExportFile: UserClassesASEPs_RECmdConsoleLog.txt # Documentation # https://github.com/EricZimmerman/RECmd From c1e95fc58f45ab00947d7a3426e9e60e1f4648be Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Mon, 2 Sep 2024 21:39:32 -0400 Subject: [PATCH 124/146] add Modules from https://github.com/EricZimmerman/KapeFiles/issues/961 This will close https://github.com/EricZimmerman/KapeFiles/issues/961 --- Modules/Windows/PowerShell_ActiveDrives.mkape | 18 ++++++++++++++++++ .../Windows/PowerShell_DnsClientCache.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_Drivers.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_LocalGroups.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_LocalUsers.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_NetNeighbor.mkape | 18 ++++++++++++++++++ .../Windows/PowerShell_NetworkAdapters.mkape | 18 ++++++++++++++++++ .../PowerShell_NetworkIPAddresses.mkape | 18 ++++++++++++++++++ .../PowerShell_NetworkIPConfiguration.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_NetworkShares.mkape | 18 ++++++++++++++++++ Modules/Windows/PowerShell_Processes.mkape | 18 ++++++++++++++++++ ...PowerShell_ProcessesIncludingServices.mkape | 14 ++++++++++++++ .../Windows/PowerShell_SystemInformation.mkape | 14 ++++++++++++++ .../Windows/PowerShell_TCPConnections.mkape | 18 ++++++++++++++++++ Modules/Windows/Windows_klist.mkape | 15 +++++++++++++++ Modules/Windows/Windows_nltest.mkape | 15 +++++++++++++++ 16 files changed, 274 insertions(+) create mode 100644 Modules/Windows/PowerShell_ActiveDrives.mkape create mode 100644 Modules/Windows/PowerShell_DnsClientCache.mkape create mode 100644 Modules/Windows/PowerShell_Drivers.mkape create mode 100644 Modules/Windows/PowerShell_LocalGroups.mkape create mode 100644 Modules/Windows/PowerShell_LocalUsers.mkape create mode 100644 Modules/Windows/PowerShell_NetNeighbor.mkape create mode 100644 Modules/Windows/PowerShell_NetworkAdapters.mkape create mode 100644 Modules/Windows/PowerShell_NetworkIPAddresses.mkape create mode 100644 Modules/Windows/PowerShell_NetworkIPConfiguration.mkape create mode 100644 Modules/Windows/PowerShell_NetworkShares.mkape create mode 100644 Modules/Windows/PowerShell_Processes.mkape create mode 100644 Modules/Windows/PowerShell_ProcessesIncludingServices.mkape create mode 100644 Modules/Windows/PowerShell_SystemInformation.mkape create mode 100644 Modules/Windows/PowerShell_TCPConnections.mkape create mode 100644 Modules/Windows/Windows_klist.mkape create mode 100644 Modules/Windows/Windows_nltest.mkape diff --git a/Modules/Windows/PowerShell_ActiveDrives.mkape b/Modules/Windows/PowerShell_ActiveDrives.mkape new file mode 100644 index 000000000..cbcb0fb71 --- /dev/null +++ b/Modules/Windows/PowerShell_ActiveDrives.mkape @@ -0,0 +1,18 @@ +Description: Active Drives List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 74d3505a-ec0f-4092-b121-6796583af8e0 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-PSDrive | Select Name,Provider,Root,CurrentLocation | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Active Drives.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-PSDrive | Select Name,Provider,Root,CurrentLocation | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Active Drives.csv'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-psdrive?view=powershell-7.4 diff --git a/Modules/Windows/PowerShell_DnsClientCache.mkape b/Modules/Windows/PowerShell_DnsClientCache.mkape new file mode 100644 index 000000000..07af1d028 --- /dev/null +++ b/Modules/Windows/PowerShell_DnsClientCache.mkape @@ -0,0 +1,18 @@ +Description: Displaying DNS Client Cache +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 0bec8e98-4111-4d91-a774-0b8d50eaf430 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-DnsClientCache | Select Entry,Name,Type,Status,Section,TimeToLive,DataLength,Data | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\DNS Client Cache.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-DnsClientCache | Select Entry,Name,Type,Status,Section,TimeToLive,DataLength,Data | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\DNS Client Cache.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_Drivers.mkape b/Modules/Windows/PowerShell_Drivers.mkape new file mode 100644 index 000000000..786d0063a --- /dev/null +++ b/Modules/Windows/PowerShell_Drivers.mkape @@ -0,0 +1,18 @@ +Description: Drivers List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 81690a49-c71f-4913-9fb9-430ffa47b413 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject -Class Win32_SystemDriver | Select DisplayName,Name,Description,State,PathName,ServiceType | Export-Csv -NoTypeInformation -Path '%destinationDirectory%\Drivers.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject -Class Win32_SystemDriver | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Drivers.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemdriver \ No newline at end of file diff --git a/Modules/Windows/PowerShell_LocalGroups.mkape b/Modules/Windows/PowerShell_LocalGroups.mkape new file mode 100644 index 000000000..8d346e4ea --- /dev/null +++ b/Modules/Windows/PowerShell_LocalGroups.mkape @@ -0,0 +1,18 @@ +Description: Local Groups List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e753b244-382b-4143-976e-1968c5b38973 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalGroup | select * | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Local Groups.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalGroup | select * | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Local Groups.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup?view=powershell-5.1 \ No newline at end of file diff --git a/Modules/Windows/PowerShell_LocalUsers.mkape b/Modules/Windows/PowerShell_LocalUsers.mkape new file mode 100644 index 000000000..69276b199 --- /dev/null +++ b/Modules/Windows/PowerShell_LocalUsers.mkape @@ -0,0 +1,18 @@ +Description: Local Users List +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 1bce3dc1-72d5-4b5d-9ca9-c15745aadc7e +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalUser | select * | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Local Users.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-LocalUser | select * | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Local Users.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localuser?view=powershell-5.1 \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetNeighbor.mkape b/Modules/Windows/PowerShell_NetNeighbor.mkape new file mode 100644 index 000000000..6c3569d48 --- /dev/null +++ b/Modules/Windows/PowerShell_NetNeighbor.mkape @@ -0,0 +1,18 @@ +Description: Displaying ARP Table using PowerShell +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: f25cbff9-fb0c-406b-ba70-c61709c102ae +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\ARP Table.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkAdapters.mkape b/Modules/Windows/PowerShell_NetworkAdapters.mkape new file mode 100644 index 000000000..e0ef31cb5 --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkAdapters.mkape @@ -0,0 +1,18 @@ +Description: Collecting Network Adapters Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 15ab571c-1fde-433e-a9b7-9132542ff07f +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetAdapter | Select Name, Status, MacAddress, PhysicalMediaType, DriverName, DriverInformation, DriverVersion, DriverDescription, SystemName, PnPDeviceID | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Adapters.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetAdapter | Select Name, Status, MacAddress, PhysicalMediaType, DriverName, DriverInformation, DriverVersion, DriverDescription, SystemName, PnPDeviceID | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Adapters.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape new file mode 100644 index 000000000..14b329975 --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape @@ -0,0 +1,18 @@ +Description: Collecting Network IP Address Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 85d5e5cb-630c-4e70-9153-738e30c9d973 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPAddress | Select IPAddress,InterfaceAlias,AddressFamily,Type,PrefixLength,PrefixOrigin,SuffixOrigin,AddressState | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Addresses.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPAddress | Select IPAddress,InterfaceAlias,AddressFamily,Type,PrefixLength,PrefixOrigin,SuffixOrigin,AddressState | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Addresses.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape new file mode 100644 index 000000000..33ffaf46a --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape @@ -0,0 +1,18 @@ +Description: Collecting Network IP Configuration and Parsing Specific Fields +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 76a02001-2a44-4e19-a3f7-14d2352f678d +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkShares.mkape b/Modules/Windows/PowerShell_NetworkShares.mkape new file mode 100644 index 000000000..159a7d4cb --- /dev/null +++ b/Modules/Windows/PowerShell_NetworkShares.mkape @@ -0,0 +1,18 @@ +Description: Displaying Network Shares +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e4442a99-ec52-425d-aa53-ef1ee179ef45 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject —Class Win32_Share | Select Name,Path,Description | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Shares.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WmiObject —Class Win32_Share | Select Name,Path,Description | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Shares.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share \ No newline at end of file diff --git a/Modules/Windows/PowerShell_Processes.mkape b/Modules/Windows/PowerShell_Processes.mkape new file mode 100644 index 000000000..dec8212ae --- /dev/null +++ b/Modules/Windows/PowerShell_Processes.mkape @@ -0,0 +1,18 @@ +Description: Display a running process list with a variety of fields - modified +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 7bc494dd-d8c2-4e6f-87f5-817c32d06493 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},@{Label='Creation Date'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.CreationDate)}},ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA1'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA1CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\Processes.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},@{Label='Creation Date'; Expression={[Management.ManagementDateTimeConverter]::ToDateTime($_.CreationDate)}},ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA1'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA1CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | ConvertTo-Json -Encoding UTF8 -FilePath '%destinationDirectory%\Processes.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape b/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape new file mode 100644 index 000000000..334addd82 --- /dev/null +++ b/Modules/Windows/PowerShell_ProcessesIncludingServices.mkape @@ -0,0 +1,14 @@ +Description: Processes list including the services running them +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 021ed07e-f2ea-4ec7-9eba-bc1e1576aa46 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "tasklist /svc /FO csv | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Process_Including_Services.csv'" + ExportFormat: csv + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist diff --git a/Modules/Windows/PowerShell_SystemInformation.mkape b/Modules/Windows/PowerShell_SystemInformation.mkape new file mode 100644 index 000000000..fd001d99e --- /dev/null +++ b/Modules/Windows/PowerShell_SystemInformation.mkape @@ -0,0 +1,14 @@ +Description: Specific System Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 92ce6a73-aee4-4040-b827-84973d90c634 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$systemInfo = @{}; $systemInfo['Host Name'] = $env:COMPUTERNAME; $systemInfo['OS Name'] = (Get-CimInstance Win32_OperatingSystem).Caption; $systemInfo['OS Version'] = (Get-CimInstance Win32_OperatingSystem).Version; $systemInfo['OS Architecture'] = (Get-CimInstance Win32_Processor).AddressWidth.ToString() + '-Bit'; $systemInfo['Original Install Date'] = (Get-CimInstance Win32_OperatingSystem).InstallDate; $systemInfo['System Boot Time'] = (Get-CimInstance Win32_OperatingSystem).LastBootUpTime; $systemInfo['System Manufacturer'] = (Get-CimInstance Win32_ComputerSystem).Manufacturer; $systemInfo['System Model'] = (Get-CimInstance Win32_ComputerSystem).Model; $systemInfo['BIOS Version'] = (Get-CimInstance Win32_BIOS).SMBIOSBIOSVersion; $systemInfo['Boot Device'] = (Get-CimInstance Win32_ComputerSystem).BootDevice; $systemInfo['Time Zone'] = (Get-CimInstance Win32_TimeZone).Caption; $totalPhysicalMemory = [math]::Round((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB); $systemInfo['Total Physical Memory'] = \"$totalPhysicalMemory GB\"; $systemInfo['Domain'] = (Get-CimInstance Win32_ComputerSystem).Domain; $systemInfo['Logon Server'] = (Get-CimInstance Win32_ComputerSystem).PrimaryOwnerName; $systemInfo['Hotfix(s)'] = (Get-HotFix).HotFixID -join ', '; $networkAdapters = Get-CimInstance Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }; $networkCards = $networkAdapters | ForEach-Object { $_.Description }; $systemInfo['Network Card(s)'] = $networkCards -join ', '; [PSCustomObject]$systemInfo | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\System Information.csv'" + ExportFormat: csv + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn diff --git a/Modules/Windows/PowerShell_TCPConnections.mkape b/Modules/Windows/PowerShell_TCPConnections.mkape new file mode 100644 index 000000000..a64fbab1c --- /dev/null +++ b/Modules/Windows/PowerShell_TCPConnections.mkape @@ -0,0 +1,18 @@ +Description: TCP Established Connections including DNSCache and process information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e2c9b4f3-5e2a-4bce-bbcf-8b473b3bb167 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$connections = @(); if($PSVersionTable.PSVersion.Major -lt 5){ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.RemotePort }) } } else{ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'UserName'=(gps -Id $_.OwningProcess -IncludeUserName).UserName; 'Process Name'=(gps -Id $_.OwningProcess).Name; 'Process Path'=(gps -Id $_.OwningProcess).Path; 'OwningProcess'=$_.OwningProcess; 'LocalAddress'=$_.LocalAddress; 'LocalPort'=$_.RemotePort; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.LocalPort }) } }; $connections | Export-Csv -NoTypeInformation -Path '%destinationDirectory%\TCPConnections.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "$connections = @(); if($PSVersionTable.PSVersion.Major -lt 5){ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.RemotePort }) } } else{ Get-NetTCPConnection | % { $connections += New-Object psobject -Property ([ordered]@{ 'State'=$_.State; 'DNSCache'=(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry; 'UserName'=(gps -Id $_.OwningProcess -IncludeUserName).UserName; 'Process Name'=(gps -Id $_.OwningProcess).Name; 'Process Path'=(gps -Id $_.OwningProcess).Path; 'OwningProcess'=$_.OwningProcess; 'LocalAddress'=$_.LocalAddress; 'LocalPort'=$_.RemotePort; 'RemoteAddress'=$_.RemoteAddress; 'RemotePort'=$_.LocalPort }) } }; $connections | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\TCPConnections.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps diff --git a/Modules/Windows/Windows_klist.mkape b/Modules/Windows/Windows_klist.mkape new file mode 100644 index 000000000..916a734a6 --- /dev/null +++ b/Modules/Windows/Windows_klist.mkape @@ -0,0 +1,15 @@ +Description: Gets Kerberos Tickets +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: e9af32c1-2a2c-4d96-9798-f6829681da83 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\klist.exe + CommandLine: "" + ExportFormat: txt + ExportFile: KerberosTickets.txt + +# Documentation +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist \ No newline at end of file diff --git a/Modules/Windows/Windows_nltest.mkape b/Modules/Windows/Windows_nltest.mkape new file mode 100644 index 000000000..be39b6381 --- /dev/null +++ b/Modules/Windows/Windows_nltest.mkape @@ -0,0 +1,15 @@ +Description: Collects Domain Information +Category: LiveResponse +Author: Max Zabuty +Version: 1.0 +Id: 38eedacb-191a-43cf-aaf1-ff183c63c2e9 +ExportFormat: txt +Processors: + - + Executable: C:\Windows\System32\nltest.exe + CommandLine: /trusted_domains + ExportFormat: txt + ExportFile: DomainInformation.txt + +# Documentation +# https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11) \ No newline at end of file From 3598bce7b64f1809aa6f6b4c0802718ab671130d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Mon, 2 Sep 2024 21:41:02 -0400 Subject: [PATCH 125/146] add newlines for linter --- Modules/Windows/PowerShell_DnsClientCache.mkape | 2 +- Modules/Windows/PowerShell_Drivers.mkape | 2 +- Modules/Windows/PowerShell_LocalGroups.mkape | 2 +- Modules/Windows/PowerShell_LocalUsers.mkape | 2 +- Modules/Windows/PowerShell_NetNeighbor.mkape | 2 +- Modules/Windows/PowerShell_NetworkAdapters.mkape | 2 +- Modules/Windows/PowerShell_NetworkIPAddresses.mkape | 2 +- Modules/Windows/PowerShell_NetworkIPConfiguration.mkape | 2 +- Modules/Windows/PowerShell_NetworkShares.mkape | 2 +- Modules/Windows/Windows_klist.mkape | 2 +- Modules/Windows/Windows_nltest.mkape | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Modules/Windows/PowerShell_DnsClientCache.mkape b/Modules/Windows/PowerShell_DnsClientCache.mkape index 07af1d028..005291d72 100644 --- a/Modules/Windows/PowerShell_DnsClientCache.mkape +++ b/Modules/Windows/PowerShell_DnsClientCache.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_Drivers.mkape b/Modules/Windows/PowerShell_Drivers.mkape index 786d0063a..0143082fb 100644 --- a/Modules/Windows/PowerShell_Drivers.mkape +++ b/Modules/Windows/PowerShell_Drivers.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemdriver \ No newline at end of file +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemdriver diff --git a/Modules/Windows/PowerShell_LocalGroups.mkape b/Modules/Windows/PowerShell_LocalGroups.mkape index 8d346e4ea..bbb22f464 100644 --- a/Modules/Windows/PowerShell_LocalGroups.mkape +++ b/Modules/Windows/PowerShell_LocalGroups.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup?view=powershell-5.1 \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_LocalUsers.mkape b/Modules/Windows/PowerShell_LocalUsers.mkape index 69276b199..618c623e1 100644 --- a/Modules/Windows/PowerShell_LocalUsers.mkape +++ b/Modules/Windows/PowerShell_LocalUsers.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localuser?view=powershell-5.1 \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localuser?view=powershell-5.1 diff --git a/Modules/Windows/PowerShell_NetNeighbor.mkape b/Modules/Windows/PowerShell_NetNeighbor.mkape index 6c3569d48..c7382e255 100644 --- a/Modules/Windows/PowerShell_NetNeighbor.mkape +++ b/Modules/Windows/PowerShell_NetNeighbor.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkAdapters.mkape b/Modules/Windows/PowerShell_NetworkAdapters.mkape index e0ef31cb5..0e2117de0 100644 --- a/Modules/Windows/PowerShell_NetworkAdapters.mkape +++ b/Modules/Windows/PowerShell_NetworkAdapters.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape index 14b329975..167c67950 100644 --- a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape +++ b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape index 33ffaf46a..31be5baf4 100644 --- a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape +++ b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkShares.mkape b/Modules/Windows/PowerShell_NetworkShares.mkape index 159a7d4cb..47daaca7f 100644 --- a/Modules/Windows/PowerShell_NetworkShares.mkape +++ b/Modules/Windows/PowerShell_NetworkShares.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share \ No newline at end of file +# https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share diff --git a/Modules/Windows/Windows_klist.mkape b/Modules/Windows/Windows_klist.mkape index 916a734a6..8d158a9cd 100644 --- a/Modules/Windows/Windows_klist.mkape +++ b/Modules/Windows/Windows_klist.mkape @@ -12,4 +12,4 @@ Processors: ExportFile: KerberosTickets.txt # Documentation -# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist \ No newline at end of file +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist diff --git a/Modules/Windows/Windows_nltest.mkape b/Modules/Windows/Windows_nltest.mkape index be39b6381..7d4671583 100644 --- a/Modules/Windows/Windows_nltest.mkape +++ b/Modules/Windows/Windows_nltest.mkape @@ -12,4 +12,4 @@ Processors: ExportFile: DomainInformation.txt # Documentation -# https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11) \ No newline at end of file +# https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11) From 7c97be515fa843a951a99379e666fc2dd9be6ba7 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:53:24 -0400 Subject: [PATCH 126/146] Update verify.yml - testing on separate Targets and Modules runs --- .github/workflows/verify.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 82eaf36b1..ebcd688ee 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -4,6 +4,14 @@ jobs: lintAllTheThings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - name: yaml-lint - uses: ibiqlik/action-yamllint@v3 + - uses: actions/checkout@v4 + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + - name: Install yamllint + run: pip install yamllint + - name: Run yamllint on Targets + run: yamllint Targets + - name: Run yamllint on Modules + run: yamllint Modules From 714b26d4ac5f95566bc4a5a95795296c1062e06a Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:58:00 -0400 Subject: [PATCH 127/146] Update verify.yml --- .github/workflows/verify.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index ebcd688ee..e15ab4f72 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -12,6 +12,6 @@ jobs: - name: Install yamllint run: pip install yamllint - name: Run yamllint on Targets - run: yamllint Targets + run: yamllint -r Targets # -r flag = recursive - name: Run yamllint on Modules - run: yamllint Modules + run: yamllint -r Modules # -r flag = recursive From 26ec7e81cfc3bdcb72a09b064575cc9d5c46ecfc Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:59:43 -0400 Subject: [PATCH 128/146] Update verify.yml - trying shell globbing --- .github/workflows/verify.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index e15ab4f72..5d38fb7c5 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -12,6 +12,6 @@ jobs: - name: Install yamllint run: pip install yamllint - name: Run yamllint on Targets - run: yamllint -r Targets # -r flag = recursive + run: yamllint Targets/**/*.tkape - name: Run yamllint on Modules - run: yamllint -r Modules # -r flag = recursive + run: yamllint Modules/**/*.mkape From e27efb104adcd2acd31682d5984a73b5ba2c6631 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 13:00:56 -0400 Subject: [PATCH 129/146] Update ManageEngineLogs.tkape test - add lint errors --- Targets/Logs/ManageEngineLogs.tkape | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Targets/Logs/ManageEngineLogs.tkape b/Targets/Logs/ManageEngineLogs.tkape index 51d60b284..8ed99f29b 100644 --- a/Targets/Logs/ManageEngineLogs.tkape +++ b/Targets/Logs/ManageEngineLogs.tkape @@ -13,7 +13,8 @@ Targets: Name: ManageEngine ADSelfService Plus Log Files Category: Logs Path: C:\ManageEngine\ADSelfService Plus\logs\ - Recursive: true + Recursive: true + # Documentation # https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a From c072dd86a719f1a9324fcaa8fcff25b71b7d8373 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 13:03:37 -0400 Subject: [PATCH 130/146] Update verify.yml --- .github/workflows/verify.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 5d38fb7c5..82eaf36b1 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -4,14 +4,6 @@ jobs: lintAllTheThings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - name: Install yamllint - run: pip install yamllint - - name: Run yamllint on Targets - run: yamllint Targets/**/*.tkape - - name: Run yamllint on Modules - run: yamllint Modules/**/*.mkape + - uses: actions/checkout@v3 + - name: yaml-lint + uses: ibiqlik/action-yamllint@v3 From be1e1cc2d4a237f710fabe6ce2d891cce6c5b04f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 13:05:57 -0400 Subject: [PATCH 131/146] Update verify.yml --- .github/workflows/verify.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 82eaf36b1..bd4666f4a 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -4,6 +4,15 @@ jobs: lintAllTheThings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - name: yaml-lint - uses: ibiqlik/action-yamllint@v3 + - uses: actions/checkout@v4 + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + - name: Install yamllint + run: pip install yamllint + - name: Run yamllint on Targets + run: yamllint Targets/**/*.tkape + - name: Run yamllint on Modules + run: yamllint Modules/**/*.mkape + From f990379e8920b8b4e252c564fc232b7f84710833 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 5 Sep 2024 13:36:43 -0400 Subject: [PATCH 132/146] Update ManageEngineLogs.tkape - remove lint issue --- Targets/Logs/ManageEngineLogs.tkape | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Targets/Logs/ManageEngineLogs.tkape b/Targets/Logs/ManageEngineLogs.tkape index 8ed99f29b..51d60b284 100644 --- a/Targets/Logs/ManageEngineLogs.tkape +++ b/Targets/Logs/ManageEngineLogs.tkape @@ -13,8 +13,7 @@ Targets: Name: ManageEngine ADSelfService Plus Log Files Category: Logs Path: C:\ManageEngine\ADSelfService Plus\logs\ - Recursive: true - + Recursive: true # Documentation # https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a From 9a30bff269e15534fb227a02b9516580951de14f Mon Sep 17 00:00:00 2001 From: MaxZabuty Date: Mon, 9 Sep 2024 14:40:54 +0300 Subject: [PATCH 133/146] Created some new things --- .../SysInternals/SysInternals_Autoruns.mkape | 8 +-- Modules/Compound/NetworkActivity.mkape | 63 +++++++++++++++++++ Modules/Compound/Persistence.mkape | 23 +++++++ Modules/Compound/SystemInformation.mkape | 51 +++++++++++++++ .../PowerShell_AccessibilityFeatures.mkape | 20 ++++++ .../Windows/PowerShell_DnsClientCache.mkape | 4 +- Modules/Windows/PowerShell_NamedPipes.mkape | 17 ++--- Modules/Windows/PowerShell_NetNeighbor.mkape | 6 +- Modules/Windows/PowerShell_NetRoute.mkape | 20 ++++++ .../Windows/PowerShell_NetworkAdapters.mkape | 4 +- .../PowerShell_NetworkIPAddresses.mkape | 4 +- .../PowerShell_NetworkIPConfiguration.mkape | 10 +-- .../PowerShell_RecycleBinParsing.mkape | 22 +++++++ Modules/Windows/PowerShell_SMBMapping.mkape | 10 ++- Modules/Windows/PowerShell_SMBOpenFile.mkape | 10 ++- Modules/Windows/PowerShell_SMBSession.mkape | 10 ++- .../Windows/PowerShell_TCPConnections.mkape | 4 +- Modules/Windows/PowerShell_WMIProviders.mkape | 18 ++++++ ...ershell_Wireless_Network_Connections.mkape | 30 ++++++--- .../Windows_nbtstat_NetBIOSCache.mkape | 6 +- .../Windows_nbtstat_NetBIOSSessions.mkape | 6 +- Modules/Windows/Windows_schtasks.mkape | 8 +-- Targets/Compound/ProgramExecution.tkape | 57 +++++++++++++++++ Targets/Windows/HostsFile.tkape | 14 +++++ Targets/Windows/JumpLists.tkape | 20 ++++++ Targets/Windows/RecentFolders.tkape | 19 ++++++ Targets/Windows/StartupFolders.tkape | 4 +- 27 files changed, 414 insertions(+), 54 deletions(-) create mode 100644 Modules/Compound/NetworkActivity.mkape create mode 100644 Modules/Compound/Persistence.mkape create mode 100644 Modules/Compound/SystemInformation.mkape create mode 100644 Modules/Windows/PowerShell_AccessibilityFeatures.mkape create mode 100644 Modules/Windows/PowerShell_NetRoute.mkape create mode 100644 Modules/Windows/PowerShell_RecycleBinParsing.mkape create mode 100644 Modules/Windows/PowerShell_WMIProviders.mkape create mode 100644 Targets/Compound/ProgramExecution.tkape create mode 100644 Targets/Windows/HostsFile.tkape create mode 100644 Targets/Windows/JumpLists.tkape create mode 100644 Targets/Windows/RecentFolders.tkape diff --git a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape index 96b7be3a1..b729510c0 100644 --- a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape +++ b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape @@ -1,15 +1,15 @@ Description: Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. -Category: LiveResponse +Category: Persistence Author: Andy Furnas, Encoding updates by piesecurity, Andreas Hunkeler (@Karneades) -Version: 1.4 +Version: 1.5 Id: c95e71bd-7abb-48c3-abae-f48b9ff19dec BinaryUrl: https://download.sysinternals.com/files/Autoruns.zip ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Path '%destinationDirectory%\autoruns.csv'" + CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Encoding UTF8 -Path '%destinationDirectory%\Autoruns.csv'" ExportFormat: csv # Documentation -# https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns +# https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns \ No newline at end of file diff --git a/Modules/Compound/NetworkActivity.mkape b/Modules/Compound/NetworkActivity.mkape new file mode 100644 index 000000000..6de1717b5 --- /dev/null +++ b/Modules/Compound/NetworkActivity.mkape @@ -0,0 +1,63 @@ +Description: Parsing all information for Network Activity Category +Category: Network Activity +Author: Max Zabuty +Version: 1 +Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de +ExportFormat: json +Processors: + - + Executable: PowerShell_SMBMapping.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_SMBOpenFile.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_SMBSession.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetNeighbor.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_TCPConnections.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkAdapters.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkIPAddresses.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkIPConfiguration.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_DnsClientCache.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nbtstat_NetBIOSCache.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nbtstat_NetBIOSSessions.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Powershell_Wireless_Network_Connections.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NamedPipes.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetRoute.mkape + CommandLine: "" + ExportFormat: "" \ No newline at end of file diff --git a/Modules/Compound/Persistence.mkape b/Modules/Compound/Persistence.mkape new file mode 100644 index 000000000..f0e49fee9 --- /dev/null +++ b/Modules/Compound/Persistence.mkape @@ -0,0 +1,23 @@ +Description: Parsing all Persistence category +Category: Persistence +Author: Max Zabuty +Version: 1 +Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de +ExportFormat: json +Processors: + - + Executable: Windows_schtasks.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: SysInternals_Autoruns.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_WMIProviders.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_AccessibilityFeatures.mkape + CommandLine: "" + ExportFormat: "" \ No newline at end of file diff --git a/Modules/Compound/SystemInformation.mkape b/Modules/Compound/SystemInformation.mkape new file mode 100644 index 000000000..6da2ba58b --- /dev/null +++ b/Modules/Compound/SystemInformation.mkape @@ -0,0 +1,51 @@ +Description: Parsing all information for System Information Category +Category: System Information +Author: Max Zabuty +Version: 1 +Id: 223ac60b-b5be-4f79-8e16-4f16b1597f3c +ExportFormat: json +Processors: + - + Executable: PowerShell_SystemInformation.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Processes.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_ProcessesIncludingServices.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Drivers.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_NetworkShares.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_ActiveDrives.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_LocalUsers.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_LocalGroups.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_klist.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: Windows_nltest.mkape + CommandLine: "" + ExportFormat: "" + - + Executable: PowerShell_Defender_Exclusions.mkape + CommandLine: "" + ExportFormat: "" \ No newline at end of file diff --git a/Modules/Windows/PowerShell_AccessibilityFeatures.mkape b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape new file mode 100644 index 000000000..810e0c2f0 --- /dev/null +++ b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape @@ -0,0 +1,20 @@ +Description: Checks for Debugger registry value and file integrity of specific Windows features +Category: Persistence +Author: Max Zabuty +Version: 1.0 +Id: e3444190-b58e-4fe7-8048-e0bb1f40b3c7 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | Export-Csv -NoTypeInformation -Encoding UTF8 -Path \"%destinationDirectory%\AccessibilityFeaturesCheck.csv\" " + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\AccessibilityFeaturesCheck.json' " + ExportFormat: json + +# Documentation +# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9 \ No newline at end of file diff --git a/Modules/Windows/PowerShell_DnsClientCache.mkape b/Modules/Windows/PowerShell_DnsClientCache.mkape index 005291d72..7093991a5 100644 --- a/Modules/Windows/PowerShell_DnsClientCache.mkape +++ b/Modules/Windows/PowerShell_DnsClientCache.mkape @@ -1,5 +1,5 @@ Description: Displaying DNS Client Cache -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: 0bec8e98-4111-4d91-a774-0b8d50eaf430 @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NamedPipes.mkape b/Modules/Windows/PowerShell_NamedPipes.mkape index cd4bc2487..fa0590cfd 100644 --- a/Modules/Windows/PowerShell_NamedPipes.mkape +++ b/Modules/Windows/PowerShell_NamedPipes.mkape @@ -1,15 +1,18 @@ Description: Named Pipes List -Category: LiveResponse -Author: nov3mb3r +Category: Network Activity +Author: Max Zabuty Version: 1.0 Id: f1f5f93d-d03b-45f4-bf72-7b8f9dc7ac23 -ExportFormat: txt +ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Format-Table FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime" - ExportFormat: txt - ExportFile: pipes.txt + CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Named Pipes.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' | Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Named Pipes.json'" + ExportFormat: json # Documentation -# https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes +# https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetNeighbor.mkape b/Modules/Windows/PowerShell_NetNeighbor.mkape index c7382e255..6cf07e4f1 100644 --- a/Modules/Windows/PowerShell_NetNeighbor.mkape +++ b/Modules/Windows/PowerShell_NetNeighbor.mkape @@ -1,5 +1,5 @@ Description: Displaying ARP Table using PowerShell -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: f25cbff9-fb0c-406b-ba70-c61709c102ae @@ -7,7 +7,7 @@ ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv'" + CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv' " ExportFormat: csv - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetRoute.mkape b/Modules/Windows/PowerShell_NetRoute.mkape new file mode 100644 index 000000000..143dbdea3 --- /dev/null +++ b/Modules/Windows/PowerShell_NetRoute.mkape @@ -0,0 +1,20 @@ +Description: Collecting Network Routing Table Information +Category: Network Activity +Author: Max Zabuty +Version: 1.0 +Id: f1eaaf30-3b13-4c0e-836c-071f7a668948 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Routing Table.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Routing Table.json'" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkAdapters.mkape b/Modules/Windows/PowerShell_NetworkAdapters.mkape index 0e2117de0..0dbc3fb6c 100644 --- a/Modules/Windows/PowerShell_NetworkAdapters.mkape +++ b/Modules/Windows/PowerShell_NetworkAdapters.mkape @@ -1,5 +1,5 @@ Description: Collecting Network Adapters Information -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: 15ab571c-1fde-433e-a9b7-9132542ff07f @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape index 167c67950..04cae4660 100644 --- a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape +++ b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape @@ -1,5 +1,5 @@ Description: Collecting Network IP Address Information -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: 85d5e5cb-630c-4e70-9153-738e30c9d973 @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape index 31be5baf4..88251b621 100644 --- a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape +++ b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape @@ -1,5 +1,5 @@ Description: Collecting Network IP Configuration and Parsing Specific Fields -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: 76a02001-2a44-4e19-a3f7-14d2352f678d @@ -7,12 +7,14 @@ ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'" + CommandLine: > + -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'" ExportFormat: csv - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'" + CommandLine: > + -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'" ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_RecycleBinParsing.mkape b/Modules/Windows/PowerShell_RecycleBinParsing.mkape new file mode 100644 index 000000000..598b65526 --- /dev/null +++ b/Modules/Windows/PowerShell_RecycleBinParsing.mkape @@ -0,0 +1,22 @@ +Description: Parses the Recycle Bin, gathering details about deleted files and exports the results in CSV and JSON formats. (Time in UTC) +Category: FileDeletion +Author: Max Zabuty +Version: 1.0 +Id: 3d845a61-5f0e-4d4f-bf57-b0e77b6b5db1 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\RecycleBin.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\RecycleBin.json'" + ExportFormat: json + +# Documentation +# https://forensafe.com/blogs/recycleBin.html +# https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal +# https://www.devhut.net/vba-shell-application-deep-dive/ \ No newline at end of file diff --git a/Modules/Windows/PowerShell_SMBMapping.mkape b/Modules/Windows/PowerShell_SMBMapping.mkape index eb8840847..b2189434a 100644 --- a/Modules/Windows/PowerShell_SMBMapping.mkape +++ b/Modules/Windows/PowerShell_SMBMapping.mkape @@ -1,14 +1,18 @@ Description: Retrieves the Server Message Block (SMB) client directory mappings. It replaces the command net use. -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: 36092684-5d40-4159-baed-822b7eaaf0a0 ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status | Export-Csv -Path %destinationDirectory%\Net_Use.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.json' " + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbmapping?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_SMBOpenFile.mkape b/Modules/Windows/PowerShell_SMBOpenFile.mkape index aba418328..a1d1638d2 100644 --- a/Modules/Windows/PowerShell_SMBOpenFile.mkape +++ b/Modules/Windows/PowerShell_SMBOpenFile.mkape @@ -1,14 +1,18 @@ Description: Retrieves basic information about the files that are open via SMB -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: f93f31dc-2979-4279-b1f7-a4771b7ed1fa ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | Export-Csv -Path %destinationDirectory%\Net_Files.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Open Files.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBOpenFile | Select FileId, SessionId, Path, ShareRelativePath, ClientComputerName, ClientUsername | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\SMB Open Files.json'" + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbopenfile?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_SMBSession.mkape b/Modules/Windows/PowerShell_SMBSession.mkape index eb9c88fcd..30f9d1ae9 100644 --- a/Modules/Windows/PowerShell_SMBSession.mkape +++ b/Modules/Windows/PowerShell_SMBSession.mkape @@ -1,14 +1,18 @@ Description: Retrieves basic information about active SMB sessions. It replaces the command net use. -Category: LiveResponse -Author: Vito Alfano +Category: Network Activity +Author: Vito Alfano, Max Zabuty Version: 1.0 Id: 3d38b9bb-64dd-440e-9a01-8db0feceb3a7 ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | Export-Csv -Path %destinationDirectory%\Net_Sessions.csv -NoTypeInformation " + CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Session.csv' " ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "Get-SMBSession | Select SessionId, ClientComputerName, ClientUserName, NumOpens | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath 'SMB Session.json'" + ExportFormat: json # Documentation # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbsession?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_TCPConnections.mkape b/Modules/Windows/PowerShell_TCPConnections.mkape index a64fbab1c..f8cc981b7 100644 --- a/Modules/Windows/PowerShell_TCPConnections.mkape +++ b/Modules/Windows/PowerShell_TCPConnections.mkape @@ -1,5 +1,5 @@ Description: TCP Established Connections including DNSCache and process information -Category: LiveResponse +Category: Network Activity Author: Max Zabuty Version: 1.0 Id: e2c9b4f3-5e2a-4bce-bbcf-8b473b3bb167 @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps \ No newline at end of file diff --git a/Modules/Windows/PowerShell_WMIProviders.mkape b/Modules/Windows/PowerShell_WMIProviders.mkape new file mode 100644 index 000000000..07f114104 --- /dev/null +++ b/Modules/Windows/PowerShell_WMIProviders.mkape @@ -0,0 +1,18 @@ +Description: Output of WMI Event Consumers, Filters, and Filter to Consumer Binders - All to CSV and JSON +Category: Persistence +Author: Max Zabuty +Version: 1.0 +Id: 8a5e83ae-4470-46d7-9812-5f713e0e0775 +ExportFormat: csv +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "New-Item -ItemType Directory -Path '%destinationDirectory%\WMI Providers' | Out-Null; foreach ($NameSpace in 'root\subscription','root\default') { Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventConsumer' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Name, SourceName, @{name='InsertionStringTemplates';expression={$_.InsertionStringTemplates -join ','}} | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Event Consumers.csv'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventFilter' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, EventNamespace, Name, Query, QueryLanguage | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Event Filters.csv'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __FilterToConsumerBinding' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Consumer, Filter | Export-Csv -Encoding UTF8 -Force -Append -NoTypeInformation -Path '%destinationDirectory%\WMI Providers\WMI Filter Consumer Binders.csv' }" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: -Command "New-Item -ItemType Directory -Path '%destinationDirectory%\WMI Providers' | Out-Null; foreach ($NameSpace in 'root\subscription','root\default') { Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventConsumer' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Name, SourceName, @{name='InsertionStringTemplates';expression={$_.InsertionStringTemplates -join ','}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Event Consumers.json'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __EventFilter' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, EventNamespace, Name, Query, QueryLanguage | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Event Filters.json'; Get-CimInstance -Namespace $NameSpace -Query 'select * from __FilterToConsumerBinding' | Select @{name='CreatorSID';expression={$_.CreatorSID -join ','}}, Consumer, Filter | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\WMI Providers\WMI Filter Consumer Binders.json' }" + ExportFormat: json + +# Documentation +# https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers \ No newline at end of file diff --git a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape index 471a30475..59ec54c7a 100644 --- a/Modules/Windows/Powershell_Wireless_Network_Connections.mkape +++ b/Modules/Windows/Powershell_Wireless_Network_Connections.mkape @@ -1,14 +1,30 @@ -Description: Extract Wireless Network Connections details via powershell -Category: LiveResponse -Author: Vito Alfano +Description: Collecting Wi-Fi Profiles and Passwords +Category: Network Activity +Author: Max Zabuty Version: 1.0 -Id: 5021953e-b8b8-482d-8d23-a0f901dff84d -ExportFormat: txt +Id: e4d8433b-506b-4053-8226-e2c4938ccba2 +ExportFormat: csv Processors: - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: -Command "(netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > %destinationDirectory%\Wireless_Network.txt" - ExportFormat: txt + CommandLine: > + -Command "(netsh wlan show profiles) | Select-String '\:(.+)$' | ForEach-Object { + $name=$_.Matches.Groups[1].Value.Trim(); + $profileDetails=(netsh wlan show profile name=$name key=clear); + $password=($profileDetails | Select-String 'Key Content\W+\:(.+)$').Matches.Groups[1].Value.Trim(); + [PSCustomObject]@{ SSID=$name; PASSWORD=$password } + } | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Wi-Fi Profiles.csv'" + ExportFormat: csv + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: > + -Command "(netsh wlan show profiles) | Select-String '\:(.+)$' | ForEach-Object { + $name=$_.Matches.Groups[1].Value.Trim(); + $profileDetails=(netsh wlan show profile name=$name key=clear); + $password=($profileDetails | Select-String 'Key Content\W+\:(.+)$').Matches.Groups[1].Value.Trim(); + [PSCustomObject]@{ SSID=$name; PASSWORD=$password } + } | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Wi-Fi Profiles.json'" + ExportFormat: json # Documentation # N/A diff --git a/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape b/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape index 56049fc41..c3593a34e 100644 --- a/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape +++ b/Modules/Windows/Windows_nbtstat_NetBIOSCache.mkape @@ -1,6 +1,6 @@ Description: NBTStat_NETBIOS_Cache -Category: LiveResponse -Author: Mike Cary +Category: Network Activity +Author: Mike Cary, Max Zabuty Version: 1.0 Id: d0309794-03b1-40bf-bbdd-12fe77f5e0a6 ExportFormat: txt @@ -9,7 +9,7 @@ Processors: Executable: C:\Windows\System32\nbtstat.exe CommandLine: -c ExportFormat: txt - ExportFile: netbios_cache.txt + ExportFile: NetBIOS Cache.txt # Documentation # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat diff --git a/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape b/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape index 7172c84c0..3553eedfe 100644 --- a/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape +++ b/Modules/Windows/Windows_nbtstat_NetBIOSSessions.mkape @@ -1,6 +1,6 @@ Description: NBTStat_NETBIOS_Sessions -Category: LiveResponse -Author: Mike Cary +Category: Network Activity +Author: Mike Cary, Max Zabuty Version: 1.0 Id: 340d77a6-a9bd-400b-b3b6-bdd5a2085e3c ExportFormat: txt @@ -9,7 +9,7 @@ Processors: Executable: C:\Windows\System32\nbtstat.exe CommandLine: -s ExportFormat: txt - ExportFile: netbios_sessions.txt + ExportFile: NetBIOS Session.txt # Documentation # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat diff --git a/Modules/Windows/Windows_schtasks.mkape b/Modules/Windows/Windows_schtasks.mkape index 25902bb1f..ce5908ff5 100644 --- a/Modules/Windows/Windows_schtasks.mkape +++ b/Modules/Windows/Windows_schtasks.mkape @@ -1,7 +1,7 @@ Description: Displays all scheduled tasks -Category: LiveResponse +Category: Persistence Author: Brian Maloney -Version: 1.1 +Version: 1.2 Id: 66d26feb-6dd7-4b12-b88b-b43ee17cd2c7 ExportFormat: csv Processors: @@ -9,12 +9,12 @@ Processors: Executable: C:\Windows\System32\schtasks.exe CommandLine: /Query /V /FO CSV ExportFormat: csv - ExportFile: scheduled_tasks.csv + ExportFile: Scheduled Tasks.csv - Executable: C:\Windows\System32\schtasks.exe CommandLine: /Query /XML ExportFormat: xml - ExportFile: scheduled_tasks.xml + ExportFile: Scheduled Tasks.xml # Documentation # https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks diff --git a/Targets/Compound/ProgramExecution.tkape b/Targets/Compound/ProgramExecution.tkape new file mode 100644 index 000000000..3eea57fe9 --- /dev/null +++ b/Targets/Compound/ProgramExecution.tkape @@ -0,0 +1,57 @@ +Description: Program Execution Triage Collection +Author: Max Zabuty +Version: 1 +Id: c67f2cfe-0664-41d7-9536-daf3be778e84 +RecreateDirectories: true +Targets: + - + Name: Amcache + Category: ApplicationCompatibility + Path: Amcache.tkape + - + Name: AppCompatPCA + Category: ApplicationCompatibility + Path: AppCompatPCA.tkape + - + Name: Prefetch + Category: Prefetch + Path: Prefetch.tkape + - + Name: RecentFileCache + Category: ApplicationCompatibility + Path: RecentFileCache.tkape + - + Name: Syscache + Category: Syscache + Path: Syscache.tkape + - + Name: PowerShellTranscripts + Category: PowerShellTranscripts + Path: PowerShellTranscripts.tkape + - + Name: PowerShellConsole + Category: PowerShellConsole + Path: PowerShellConsole.tkape + - + Name: WBEM + Category: WBEM + Path: WBEM.tkape + - + Name: WER + Category: WER + Path: WER.tkape + - + Name: WindowsTimeline + Category: WindowsTimeline + Path: WindowsTimeline.tkape + - + Name: JumpLists + Category: JumpLists + Path: JumpLists.tkape + - + Name: .NET CLR UsageLogs + Category: .NET CLR UsageLogs + Path: NETCLRUsageLogs.tkape + +# Documentation +# Collecting different artifacts related to program execution on the host \ No newline at end of file diff --git a/Targets/Windows/HostsFile.tkape b/Targets/Windows/HostsFile.tkape new file mode 100644 index 000000000..c31caeabd --- /dev/null +++ b/Targets/Windows/HostsFile.tkape @@ -0,0 +1,14 @@ +Description: Hosts file +Author: Max Zabuty +Version: 1.0 +Id: 6f045c9b-5d0c-42ec-ab09-050b9853a5e9 +RecreateDirectories: true +Targets: + - + Name: HostsFile + Category: HostsFile + Path: C:\Windows\System32\drivers\etc\ + FileMask: 'Hosts' + +# Documentation +# None \ No newline at end of file diff --git a/Targets/Windows/JumpLists.tkape b/Targets/Windows/JumpLists.tkape new file mode 100644 index 000000000..72e6bce40 --- /dev/null +++ b/Targets/Windows/JumpLists.tkape @@ -0,0 +1,20 @@ +Description: Jump lists +Author: Max Zabuty +Version: 1 +Id: 2e354bdc-e418-438e-8439-c21c83c64e11 +RecreateDirectories: true +Targets: + - + Name: JumpLists from CustomDestinations + Category: JumpLists + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ + Recursive: true + - + Name: JumpLists from CustomDestinations + Category: JumpLists + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ + Recursive: true + +# Documentation +# https://www.forensafe.com/blogs/jumplist.html +# https://dfir.pubpub.org/pub/wfuxlu9v/release/1 \ No newline at end of file diff --git a/Targets/Windows/RecentFolders.tkape b/Targets/Windows/RecentFolders.tkape new file mode 100644 index 000000000..037b83091 --- /dev/null +++ b/Targets/Windows/RecentFolders.tkape @@ -0,0 +1,19 @@ +Description: Recent Folders LNK files +Author: Max Zabuty +Version: 1 +Id: 103c8de7-3303-41ea-98d5-35ea1a3ae1ae +RecreateDirectories: true +Targets: + - + Name: LNK Files from Recent + Category: File and Folder Usage + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Recent\ + Recursive: true + - + Name: LNK Files from Microsoft Office Recent + Category: File and Folder Usage + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Office\Recent\ + Recursive: true + +# Documentation +# https://www.cybertriage.com/artifact/windows-recents-folder-artifact/ diff --git a/Targets/Windows/StartupFolders.tkape b/Targets/Windows/StartupFolders.tkape index 18acfcdcf..19f6388e7 100644 --- a/Targets/Windows/StartupFolders.tkape +++ b/Targets/Windows/StartupFolders.tkape @@ -7,11 +7,11 @@ Targets: - Name: User startup folders Category: Persistence - Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup + Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs - Name: System-wide startup folder Category: Persistence - Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp + Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs # Documentation # https://attack.mitre.org/techniques/T1547/001/ From aa3f613001eda79ae69c20044e7499250e0487ec Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Mon, 9 Sep 2024 12:39:32 -0400 Subject: [PATCH 134/146] Update SysInternals_Autoruns.mkape add newline --- Modules/Apps/SysInternals/SysInternals_Autoruns.mkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape index b729510c0..7aee35bb7 100644 --- a/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape +++ b/Modules/Apps/SysInternals/SysInternals_Autoruns.mkape @@ -12,4 +12,4 @@ Processors: ExportFormat: csv # Documentation -# https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns \ No newline at end of file +# https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns From e754cf95568c6115145cc1874553073ca60ccb0b Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Mon, 9 Sep 2024 15:00:08 -0400 Subject: [PATCH 135/146] linter fixes, add newlines and documentation boilerplate --- Modules/Compound/NetworkActivity.mkape | 5 ++++- Modules/Compound/Persistence.mkape | 5 ++++- Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape | 3 +++ Modules/Compound/SystemInformation.mkape | 5 ++++- Modules/Windows/PowerShell_AccessibilityFeatures.mkape | 2 +- Modules/Windows/PowerShell_DnsClientCache.mkape | 2 +- Modules/Windows/PowerShell_NamedPipes.mkape | 2 +- Modules/Windows/PowerShell_NetNeighbor.mkape | 2 +- Modules/Windows/PowerShell_NetRoute.mkape | 2 +- Modules/Windows/PowerShell_NetworkAdapters.mkape | 2 +- Modules/Windows/PowerShell_NetworkIPAddresses.mkape | 2 +- Modules/Windows/PowerShell_NetworkIPConfiguration.mkape | 2 +- Modules/Windows/PowerShell_RecycleBinParsing.mkape | 2 +- Modules/Windows/PowerShell_TCPConnections.mkape | 2 +- Modules/Windows/PowerShell_WMIProviders.mkape | 2 +- 15 files changed, 26 insertions(+), 14 deletions(-) diff --git a/Modules/Compound/NetworkActivity.mkape b/Modules/Compound/NetworkActivity.mkape index 6de1717b5..adab67159 100644 --- a/Modules/Compound/NetworkActivity.mkape +++ b/Modules/Compound/NetworkActivity.mkape @@ -60,4 +60,7 @@ Processors: - Executable: PowerShell_NetRoute.mkape CommandLine: "" - ExportFormat: "" \ No newline at end of file + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/Persistence.mkape b/Modules/Compound/Persistence.mkape index f0e49fee9..7f5ad6955 100644 --- a/Modules/Compound/Persistence.mkape +++ b/Modules/Compound/Persistence.mkape @@ -20,4 +20,7 @@ Processors: - Executable: PowerShell_AccessibilityFeatures.mkape CommandLine: "" - ExportFormat: "" \ No newline at end of file + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape b/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape index 811e98588..69855a2a7 100644 --- a/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape +++ b/Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape @@ -37,3 +37,6 @@ Processors: Executable: PowerShell_Services_List.mkape CommandLine: "" ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Compound/SystemInformation.mkape b/Modules/Compound/SystemInformation.mkape index 6da2ba58b..85987627b 100644 --- a/Modules/Compound/SystemInformation.mkape +++ b/Modules/Compound/SystemInformation.mkape @@ -48,4 +48,7 @@ Processors: - Executable: PowerShell_Defender_Exclusions.mkape CommandLine: "" - ExportFormat: "" \ No newline at end of file + ExportFormat: "" + +# Documentation: +# N/A diff --git a/Modules/Windows/PowerShell_AccessibilityFeatures.mkape b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape index 810e0c2f0..2676dc665 100644 --- a/Modules/Windows/PowerShell_AccessibilityFeatures.mkape +++ b/Modules/Windows/PowerShell_AccessibilityFeatures.mkape @@ -17,4 +17,4 @@ Processors: ExportFormat: json # Documentation -# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9 \ No newline at end of file +# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9 diff --git a/Modules/Windows/PowerShell_DnsClientCache.mkape b/Modules/Windows/PowerShell_DnsClientCache.mkape index 7093991a5..6bfc17e42 100644 --- a/Modules/Windows/PowerShell_DnsClientCache.mkape +++ b/Modules/Windows/PowerShell_DnsClientCache.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NamedPipes.mkape b/Modules/Windows/PowerShell_NamedPipes.mkape index fa0590cfd..d3563b62a 100644 --- a/Modules/Windows/PowerShell_NamedPipes.mkape +++ b/Modules/Windows/PowerShell_NamedPipes.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes \ No newline at end of file +# https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes diff --git a/Modules/Windows/PowerShell_NetNeighbor.mkape b/Modules/Windows/PowerShell_NetNeighbor.mkape index 6cf07e4f1..752ad9d76 100644 --- a/Modules/Windows/PowerShell_NetNeighbor.mkape +++ b/Modules/Windows/PowerShell_NetNeighbor.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netneighbor?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetRoute.mkape b/Modules/Windows/PowerShell_NetRoute.mkape index 143dbdea3..343a7a0b5 100644 --- a/Modules/Windows/PowerShell_NetRoute.mkape +++ b/Modules/Windows/PowerShell_NetRoute.mkape @@ -17,4 +17,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkAdapters.mkape b/Modules/Windows/PowerShell_NetworkAdapters.mkape index 0dbc3fb6c..007e0c9d3 100644 --- a/Modules/Windows/PowerShell_NetworkAdapters.mkape +++ b/Modules/Windows/PowerShell_NetworkAdapters.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/netadapter/get-netadapter?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape index 04cae4660..10b788f65 100644 --- a/Modules/Windows/PowerShell_NetworkIPAddresses.mkape +++ b/Modules/Windows/PowerShell_NetworkIPAddresses.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipaddress?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape index 88251b621..14a7448f3 100644 --- a/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape +++ b/Modules/Windows/PowerShell_NetworkIPConfiguration.mkape @@ -17,4 +17,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_RecycleBinParsing.mkape b/Modules/Windows/PowerShell_RecycleBinParsing.mkape index 598b65526..2ce89b94e 100644 --- a/Modules/Windows/PowerShell_RecycleBinParsing.mkape +++ b/Modules/Windows/PowerShell_RecycleBinParsing.mkape @@ -19,4 +19,4 @@ Processors: # Documentation # https://forensafe.com/blogs/recycleBin.html # https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal -# https://www.devhut.net/vba-shell-application-deep-dive/ \ No newline at end of file +# https://www.devhut.net/vba-shell-application-deep-dive/ diff --git a/Modules/Windows/PowerShell_TCPConnections.mkape b/Modules/Windows/PowerShell_TCPConnections.mkape index f8cc981b7..368accde2 100644 --- a/Modules/Windows/PowerShell_TCPConnections.mkape +++ b/Modules/Windows/PowerShell_TCPConnections.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps \ No newline at end of file +# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2022-ps diff --git a/Modules/Windows/PowerShell_WMIProviders.mkape b/Modules/Windows/PowerShell_WMIProviders.mkape index 07f114104..b71f1171a 100644 --- a/Modules/Windows/PowerShell_WMIProviders.mkape +++ b/Modules/Windows/PowerShell_WMIProviders.mkape @@ -15,4 +15,4 @@ Processors: ExportFormat: json # Documentation -# https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers \ No newline at end of file +# https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers From 1339751b265a5faa0638d1eb28f99acd485f8e5e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Mon, 9 Sep 2024 15:02:19 -0400 Subject: [PATCH 136/146] linter fixes --- Targets/Compound/ProgramExecution.tkape | 2 +- Targets/Windows/HostsFile.tkape | 2 +- Targets/Windows/JumpLists.tkape | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Targets/Compound/ProgramExecution.tkape b/Targets/Compound/ProgramExecution.tkape index 3eea57fe9..e146c6e6f 100644 --- a/Targets/Compound/ProgramExecution.tkape +++ b/Targets/Compound/ProgramExecution.tkape @@ -54,4 +54,4 @@ Targets: Path: NETCLRUsageLogs.tkape # Documentation -# Collecting different artifacts related to program execution on the host \ No newline at end of file +# Collecting different artifacts related to program execution on the host diff --git a/Targets/Windows/HostsFile.tkape b/Targets/Windows/HostsFile.tkape index c31caeabd..0ce3118b3 100644 --- a/Targets/Windows/HostsFile.tkape +++ b/Targets/Windows/HostsFile.tkape @@ -11,4 +11,4 @@ Targets: FileMask: 'Hosts' # Documentation -# None \ No newline at end of file +# N/A diff --git a/Targets/Windows/JumpLists.tkape b/Targets/Windows/JumpLists.tkape index 72e6bce40..ec8cbae5d 100644 --- a/Targets/Windows/JumpLists.tkape +++ b/Targets/Windows/JumpLists.tkape @@ -17,4 +17,4 @@ Targets: # Documentation # https://www.forensafe.com/blogs/jumplist.html -# https://dfir.pubpub.org/pub/wfuxlu9v/release/1 \ No newline at end of file +# https://dfir.pubpub.org/pub/wfuxlu9v/release/1 From 8324d6fb821e0aea4f1835f8df1de4be09d32e98 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Mon, 9 Sep 2024 15:04:20 -0400 Subject: [PATCH 137/146] final linter fix --- Targets/Compound/ProgramExecution.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Compound/ProgramExecution.tkape b/Targets/Compound/ProgramExecution.tkape index e146c6e6f..90ae0b443 100644 --- a/Targets/Compound/ProgramExecution.tkape +++ b/Targets/Compound/ProgramExecution.tkape @@ -52,6 +52,6 @@ Targets: Name: .NET CLR UsageLogs Category: .NET CLR UsageLogs Path: NETCLRUsageLogs.tkape - + # Documentation # Collecting different artifacts related to program execution on the host From be2e570ab15cfe33e9d0083510db1a01ad0ba3d0 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Tue, 10 Sep 2024 23:25:38 +0200 Subject: [PATCH 138/146] Update WindowsTimeline target to be recursive on ConnectedDevicesPlatform folder --- Targets/Windows/WindowsTimeline.tkape | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Targets/Windows/WindowsTimeline.tkape b/Targets/Windows/WindowsTimeline.tkape index 174c4f547..1b97ccac0 100644 --- a/Targets/Windows/WindowsTimeline.tkape +++ b/Targets/Windows/WindowsTimeline.tkape @@ -1,13 +1,14 @@ Description: ActivitiesCache.db collector -Author: Lee Whitfield -Version: 1.0 +Author: Lee Whitfield, Thomas DIOT (Qazeer) +Version: 1.1 Id: 8315040f-c9a4-455a-b02c-96372583f436 RecreateDirectories: true Targets: - Name: ActivitiesCache.db Category: FileFolderAccess - Path: C:\Users\%user%\AppData\Local\ConnectedDevicesPlatform\*\ + Path: C:\Users\%user%\AppData\Local\ConnectedDevicesPlatform\ + Recursive: true FileMask: ActivitiesCache.db* # Documentation From 3dc26b76622e32a77e13f0a640e305dc5768bd14 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Sun, 15 Sep 2024 20:58:30 +0200 Subject: [PATCH 139/146] Add PowerShell_Execute-UsnJrnlRewind module --- .../PowerShell_Execute-UsnJrnlRewind.mkape | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape diff --git a/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape b/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape new file mode 100644 index 000000000..c0c8e39cc --- /dev/null +++ b/Modules/Apps/GitHub/PowerShell_Execute-UsnJrnlRewind.mkape @@ -0,0 +1,20 @@ +Description: Execute-UsnJrnlRewind.ps1 - Execute usnjrnl_rewind.exe on MFT and UsnJrnl CSV from MFTEcmd to "rewind" the UsnJrnl and add their full path to UsnJrnl entries. Works on the module destination directory. +Category: FileSystem +Author: CyberCX-DFIR, Thomas DIOT (Qazeer) +Version: 1.0 +Id: 82db8f91-7131-4c8e-a2d6-48cb52336ff9 +BinaryUrl: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 +ExportFormat: CSV +Processors: + - + Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "& '%kapeDirectory%\\Modules\\bin\\Execute-UsnJrnlRewind.ps1' -UsnJrnlRewindBinary '%kapeDirectory%\\Modules\\bin\\usnjrnl_rewind.exe' -InputDir '%destinationDirectory%' -OutputDir '%destinationDirectory%'" + ExportFormat: CSV + +# Documentation +# Process the module destinationDirectory\Filesystem folder to rewind the UsnJrnl following an execution of the MFTEcmd_$MFT and MFTEcmd_$J KAPE modules. +# Execute-UsnJrnlRewind.ps1 is a simple wrapper to usnjrnl_rewind.exe that finds and executes usnjrnl_rewind.exe on MFT and UsnJrnl CSV found in the specified folder. +# CyberCX NTFS Usnjrnl Rewind: https://cybercx.com.au/blog/ntfs-usnjrnl-rewind/ +# Original usnjrnl_rewind.py: https://github.com/CyberCX-DFIR/usnjrnl_rewind +# Execute-UsnJrnlRewind.ps1 wrapper: https://gist.github.com/Qazeer/2b90b93dfc21e0987e73302703e4b9e0 +# usnjrnl_rewind.exe (https://github.com/Qazeer/usnjrnl_rewind_compiled/releases) must be placed under "%kapeDirectory%\Modules\bin\usnjrnl_rewind.exe". From b6fd8c5f896bf20442ca587caa12cc56d431df04 Mon Sep 17 00:00:00 2001 From: Vikas Singh <39370194+vikas891@users.noreply.github.com> Date: Wed, 18 Sep 2024 12:03:20 +0530 Subject: [PATCH 140/146] Update PowerShellConsole.tkape I've added instructions to add PowerShell ISE's AutoSaveFiles as well the user.config The changes has been tested locally without any problems. I've also added my name in the Author as well as a brand new Blog on Notion. P.S. The Sophos blog from 2020 is also mine ;) Thanks Mike/2thewes for including it! --- Targets/Logs/PowerShellConsole.tkape | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Targets/Logs/PowerShellConsole.tkape b/Targets/Logs/PowerShellConsole.tkape index dfe4e2d12..e44802509 100644 --- a/Targets/Logs/PowerShellConsole.tkape +++ b/Targets/Logs/PowerShellConsole.tkape @@ -1,5 +1,5 @@ Description: PowerShell Console Log File -Author: Mike Cary, 2thewes +Author: Mike Cary, 2thewes, Vikas Singh Version: 1.2 Id: efa4332a-89eb-430c-ab61-006a9e6620d7 RecreateDirectories: true @@ -19,8 +19,19 @@ Targets: Category: PowerShellConsoleLog Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ FileMask: '*_history.txt' + - + Name: PowerShell ISE - AutoSave Files + Category: PowerShellConsoleLog + Path: C:\Users\%user%\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\AutoSaveFiles\ + FileMask: '*.ps1' + - + Name: PowerShell ISE - User Config + Category: PowerShellConsoleLog + Path: C:\Users\%user%\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName*\*\ + FileMask: '*.config' # Documentation +# https://vikas-singh.notion.site/PowerShell-Command-History-Forensics-81a35c4f0b824c2b95c28f98134d49a4?pvs=4 # https://community.sophos.com/malware/b/blog/posts/powershell-command-history-forensics # https://darizotas.blogspot.com/2018/10/forensics-powershell-artifacts.html # https://digital-forensics.sans.org/media/DFPS_FOR508_v4.4_1-19.pdf From 1b76c94a58b3e51922faee5783521cc9cca84de8 Mon Sep 17 00:00:00 2001 From: Fabio Melo Pfeifer Date: Tue, 24 Sep 2024 21:45:04 -0300 Subject: [PATCH 141/146] Include target for eMule evidences --- Targets/P2P/eMule.tkape | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 Targets/P2P/eMule.tkape diff --git a/Targets/P2P/eMule.tkape b/Targets/P2P/eMule.tkape new file mode 100644 index 000000000..fff5aa071 --- /dev/null +++ b/Targets/P2P/eMule.tkape @@ -0,0 +1,29 @@ +Description: eMule +Author: Fábio Melo Pfeifer +Version: 1.0 +Id: dd4d5575-46aa-4618-9ecf-f8f9d7271b0c +RecreateDirectories: true +Targets: + - + Name: eMule Logs and Configuration Files + Category: FileDownload + Path: C:\Users\%user%\AppData\Local\eMule\ + Recursive: true + Comment: "Locates eMule logs and configuration files and copies them." + + - + Name: eMule part.met files + Category: FileDownload + Path: C:\ + FileMask: '*.part.met' + Recursive: true + Comment: "Locates eMule *.part.met files and copies them." + +# Documentation +# https://www.researchgate.net/publication/269080208_Identificacao_de_Artefatos_Periciais_do_eMule +# eMule is a file-sharing client which supports the eDonkey protocol. +# Logs are stored in .met format and have to be viewed in a hex editor, or parsed using a specific parser. +# known.met within the configuration folder will contain information on downloaded and uploaded files. +# AC_SearchStrings.dat contains searches conducted by the user. +# A .part.met file contains information about a current download. +# TKape was created for version 0.50a. From 73561730a085e5ac05a7a6773e221fb1d2206677 Mon Sep 17 00:00:00 2001 From: Fabio Melo Pfeifer Date: Tue, 24 Sep 2024 21:45:30 -0300 Subject: [PATCH 142/146] Include eMule target into P2PClients compound target --- Targets/Compound/P2PClients.tkape | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Targets/Compound/P2PClients.tkape b/Targets/Compound/P2PClients.tkape index 1d36a504e..9b061488e 100644 --- a/Targets/Compound/P2PClients.tkape +++ b/Targets/Compound/P2PClients.tkape @@ -24,6 +24,10 @@ Targets: Name: Soulseek Category: FileDownload Path: Soulseek.tkape + - + Name: eMule + Category: FileDownload + Path: eMule.tkape # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_file-sharing_applications. # Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target. From a5bee5874ce35216acdb761a4ecd281ec920e697 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 24 Sep 2024 20:59:04 -0400 Subject: [PATCH 143/146] alphabetically sort Targets --- Targets/Compound/P2PClients.tkape | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Targets/Compound/P2PClients.tkape b/Targets/Compound/P2PClients.tkape index 9b061488e..5d558b176 100644 --- a/Targets/Compound/P2PClients.tkape +++ b/Targets/Compound/P2PClients.tkape @@ -8,6 +8,10 @@ Targets: Name: DC++ Category: FileDownload Path: DC++.tkape + - + Name: eMule + Category: FileDownload + Path: eMule.tkape - Name: FrostWire Category: FileDownload @@ -24,10 +28,6 @@ Targets: Name: Soulseek Category: FileDownload Path: Soulseek.tkape - - - Name: eMule - Category: FileDownload - Path: eMule.tkape # For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_file-sharing_applications. # Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target. From 7e9e7d95a41d898dad66ffca4972848b73c61495 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 24 Sep 2024 20:59:23 -0400 Subject: [PATCH 144/146] Update P2PClients.tkape increment version number --- Targets/Compound/P2PClients.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Compound/P2PClients.tkape b/Targets/Compound/P2PClients.tkape index 5d558b176..b56f84442 100644 --- a/Targets/Compound/P2PClients.tkape +++ b/Targets/Compound/P2PClients.tkape @@ -1,6 +1,6 @@ Description: P2P Clients Author: Andrew Rathbun -Version: 1.0 +Version: 1.1 Id: 4357b5ff-0bd4-41c0-a644-463ea0e14c48 RecreateDirectories: true Targets: From 063889436f8c638a22fc24c83f1844755c79c561 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Tue, 24 Sep 2024 21:00:28 -0400 Subject: [PATCH 145/146] Update eMule.tkape - linter fixes --- Targets/P2P/eMule.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/P2P/eMule.tkape b/Targets/P2P/eMule.tkape index fff5aa071..48511a29f 100644 --- a/Targets/P2P/eMule.tkape +++ b/Targets/P2P/eMule.tkape @@ -10,7 +10,7 @@ Targets: Path: C:\Users\%user%\AppData\Local\eMule\ Recursive: true Comment: "Locates eMule logs and configuration files and copies them." - + - Name: eMule part.met files Category: FileDownload @@ -22,7 +22,7 @@ Targets: # Documentation # https://www.researchgate.net/publication/269080208_Identificacao_de_Artefatos_Periciais_do_eMule # eMule is a file-sharing client which supports the eDonkey protocol. -# Logs are stored in .met format and have to be viewed in a hex editor, or parsed using a specific parser. +# Logs are stored in .met format and must be viewed in a hex editor or parsed using a specific parser. # known.met within the configuration folder will contain information on downloaded and uploaded files. # AC_SearchStrings.dat contains searches conducted by the user. # A .part.met file contains information about a current download. From aecd71c38cf815229b6eb06259cf7e2387b8ef03 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Wed, 25 Sep 2024 21:28:53 -0400 Subject: [PATCH 146/146] update BinaryUrls --- Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape | 2 +- Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape | 2 +- .../Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape | 2 +- .../Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape | 2 +- .../Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape | 2 +- Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape b/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape index f5e5ce70d..bdd349197 100644 --- a/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape +++ b/Modules/Apps/GitHub/PowerShell_Get-ChainsawSigmaRules.mkape @@ -3,7 +3,7 @@ Category: ChainsawSync Author: Andrew Rathbun Version: 1.0 Id: b3fc53a5-4f10-431d-903a-65700bf16e2f -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Get-ChainsawSigmaRules.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Get-ChainsawSigmaRules.ps1 ExportFormat: txt Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape b/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape index be1d579e0..0d2f5cdb9 100644 --- a/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape +++ b/Modules/Apps/GitHub/PowerShell_MFTECmd_J-MFTParsing.mkape @@ -3,7 +3,7 @@ Category: FileSystem Author: Andrew Rathbun Version: 1.1 Id: ac0660c3-4eb2-4dee-ad90-5ef782b94750 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/MFTECmd%24J%24MFTParser.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/MFTECmd%24J%24MFTParser.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape b/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape index edec61b37..f86cc89c4 100644 --- a/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape +++ b/Modules/Apps/GitHub/PowerShell_Move-KAPEConsoleHost_history.mkape @@ -3,7 +3,7 @@ Category: PowerShellHistory Author: Andrew Rathbun and Matt Arbaugh Version: 1.0 Id: e57584ec-0c9a-49cf-9ac5-7d42c7570fae -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Move-KAPEConsoleHost_history.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Move-KAPEConsoleHost_history.ps1 ExportFormat: txt Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape b/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape index a25a8e345..02381a11a 100644 --- a/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape +++ b/Modules/Apps/GitHub/PowerShell_Parse-MatterMostDownloadsJson.mkape @@ -3,7 +3,7 @@ Category: Downloads Author: Andrew Rathbun Version: 1.0 Id: cb794d78-a91a-4119-95b5-3a3b844d3fbe -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/Parse-MatterMostDownloadsJson.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/Parse-MatterMostDownloadsJson.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape b/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape index 867f7cf54..fb72bdfbc 100644 --- a/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape +++ b/Modules/Apps/GitHub/PowerShell_SrumECmd_SRUM-RepairAndParse.mkape @@ -3,7 +3,7 @@ Category: SRUM Author: Matthew Arbaugh Version: 1.0 Id: a03a3be0-0101-42cc-a639-484ab24e0018 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SRUM-Repair.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SRUM-Repair.ps1 ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape b/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape index cd45fd26a..4546184f4 100644 --- a/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape +++ b/Modules/Apps/GitHub/PowerShell_SumECmd_SUM-RepairAndParse.mkape @@ -3,7 +3,7 @@ Category: SUM Author: Matthew Arbaugh Version: 1.0 Id: 92cc0f6c-4e41-4b1f-b250-4b016724f1c8 -BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SUM-Repair.ps1 +BinaryUrl: https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/KAPE/SUM-Repair.ps1 ExportFormat: csv Processors: -