Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create UsersFolders #897

Merged
merged 2 commits into from
Jan 5, 2024
Merged

Create UsersFolders #897

merged 2 commits into from
Jan 5, 2024

Conversation

vxsh4d0w
Copy link
Contributor

@vxsh4d0w vxsh4d0w commented Jan 2, 2024

Description

Please include a summary of the change and (if applicable) which issue is fixed.

Checklist:

Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR

  • I have generated a unique GUID for my Target(s)/Module(s)
  • I have placed the Target(s)/Module(s) in an appropriate subfolder in Targets or Modules. If one doesn't exist, I have either added it to the Misc folder or created a relevant subfolder with justification
  • I have set or updated the version of my Target(s)/Module(s)
  • I have verified that KAPE parses the Target(s)/Module(s) successfully via kape.exe, using --tlist/--mlist and corrected any errors
  • I have validated my Target(s)/Module(s) against test data and verified they are working as intended
  • I have made an attempt to document the artifacts within the Target(s) or Module(s) I am submitting. If documentation doesn't exist, I have placed N/A underneath the Documentation header
  • For Targets, I have consulted either the Target Guide, Target Template, Compound Target Guide, or Compound Target Template to ensure my Target(s) follow the same format
  • For Modules, I have consulted either the Module Guide, Module Template, Compound Module Guide, or Compound Module Template to ensure my Module(s) follow the same format

If your submission involves an SQLite database, have you considered making an SQLECmd Map for the SQLite database? If you make a Map, please add the SQLite database to the SQLiteDatabases.tkape Compound Target.

Thank you for your submission and for contributing to the DFIR community!

@EricZimmerman
Copy link
Owner

Why?

You should at least add

%user%

So you can target just one if need be

@vxsh4d0w
Copy link
Contributor Author

vxsh4d0w commented Jan 2, 2024

Why?

You should at least add

%user%

So you can target just one if need be

Yes, you're right. Lately, I've observed various incidents where the threat actor used not only a ad-hoc user but also different compromised accounts within the same host, and quite often the folder C:\Users\Public was involved.
It would be great whether was possible to list various users and dump only specific folders.

@EricZimmerman
Copy link
Owner

It would be of course \ between the paths

@vxsh4d0w
Copy link
Contributor Author

vxsh4d0w commented Jan 2, 2024

It would be of course \ between the paths

what do you suggest?

@AndrewRathbun
Copy link
Collaborator

@vxsh4d0w can you advise on 30fbaf6#commitcomment-136072586 before we merge, please?

@vxsh4d0w
Copy link
Contributor Author

vxsh4d0w commented Jan 4, 2024

@vxsh4d0w can you advise on 30fbaf6#commitcomment-136072586 before we merge, please?

I think that Eric's suggestion is perfect. Thanks again. :)

@AndrewRathbun AndrewRathbun self-assigned this Jan 5, 2024
@AndrewRathbun AndrewRathbun merged commit 20937e4 into EricZimmerman:master Jan 5, 2024
1 check passed
@AndrewRathbun
Copy link
Collaborator

AndrewRathbun commented Jun 22, 2024
edited
Loading

FYSA, this Target never had the .tkape file extension, so I've added it just now. It should appear now after a --sync.

5a69ca4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewRathbun AndrewRathbun AndrewRathbun approved these changes

Assignees

@AndrewRathbun AndrewRathbun

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vxsh4d0w @EricZimmerman @AndrewRathbun