From ea2ed18fa3e70b510d455a6449ab8ce5658c789f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 17 Jan 2024 13:15:39 -0500 Subject: [PATCH 1/4] update GUIDs --- Modules/CompoundModuleGuide.guide | 2 +- Modules/CompoundModuleTemplate.template | 2 +- Targets/CompoundTargetGuide.guide | 2 +- Targets/CompoundTargetTemplate.template | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide index e428857823..de125ea21f 100644 --- a/Modules/CompoundModuleGuide.guide +++ b/Modules/CompoundModuleGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module +Id: b407d036-eef7-47ba-bd82-5fd5785e1af8 # Required, unique GUID is required for every KAPE Target/Module BinaryUrl: https://url.goes.here.com # Required ExportFormat: csv # Required FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template index 52a1be753b..bcebf75447 100644 --- a/Modules/CompoundModuleTemplate.template +++ b/Modules/CompoundModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Targets/CompoundTargetGuide.guide b/Targets/CompoundTargetGuide.guide index cfcdf2f4a8..a00315110e 100644 --- a/Targets/CompoundTargetGuide.guide +++ b/Targets/CompoundTargetGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required, this will be visible within gKape on the Target side under the Description colum., Author: Your name here # Required Version: 1.0 # Required, increment as revisions are made. -Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. +Id: a0bd74ff-4848-4663-8093-865394b0da97 # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. RecreateDirectories: true # Required, true means the folder structure of the artifacts will be created within the user-specified Target Destination directory. If an artifact is buried 10 folders deep on the suspect's system, it will be buried 10 folders deep within the Target Destination folder. Targets: - diff --git a/Targets/CompoundTargetTemplate.template b/Targets/CompoundTargetTemplate.template index 0da5fffc2a..3ece9855cd 100644 --- a/Targets/CompoundTargetTemplate.template +++ b/Targets/CompoundTargetTemplate.template @@ -1,7 +1,7 @@ Description: Name of application/artifact here # Required Author: Your name here # Required Version: 1.0 # Required -Id: Unique GUID here # Required +Id: 89a28b16-15b1-476a-bd17-e3ba2602d5e0 # Required RecreateDirectories: true # Required Targets: - From bca4bf102d3e0e96c698e80d2070ffed05746a09 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Mar 2024 03:24:48 -0500 Subject: [PATCH 2/4] Update and rename AssetAdvisorLog.tkape to SCCMClientLogs.tkape --- Targets/Windows/AssetAdvisorLog.tkape | 16 ---------------- Targets/Windows/SCCMClientLogs.tkape | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 16 deletions(-) delete mode 100644 Targets/Windows/AssetAdvisorLog.tkape create mode 100644 Targets/Windows/SCCMClientLogs.tkape diff --git a/Targets/Windows/AssetAdvisorLog.tkape b/Targets/Windows/AssetAdvisorLog.tkape deleted file mode 100644 index 67f32b4b41..0000000000 --- a/Targets/Windows/AssetAdvisorLog.tkape +++ /dev/null @@ -1,16 +0,0 @@ -Description: Asset Advisor Log -Author: Andrew Rathbun -Version: 1.0 -Id: 700413f8-703b-44fb-9192-8830ac84b6b0 -RecreateDirectories: true -Targets: - - - Name: Asset Advisor Log - Category: Executables - Path: C:\Windows\CCM\Logs\AssetAdvisor.log - FileMask: EncapsulationLogging.hve - -# Documentation -# I have seen reference to malicious binaries associated with a user in this log -# Sample log entry -# ]LOG]!> diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape new file mode 100644 index 0000000000..86360baba9 --- /dev/null +++ b/Targets/Windows/SCCMClientLogs.tkape @@ -0,0 +1,18 @@ +Description: SCCM Client Log Files +Author: Andrew Rathbun +Version: 1.0 +Id: 700413f8-703b-44fb-9192-8830ac84b6b0 +RecreateDirectories: true +Targets: + - + Name: SCCM Client Log Files + Category: Logs + Path: C:\Windows\CCM\Logs + +# Documentation +# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/about-log-files#locating-log-files +# Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948 +# +# I have seen reference to malicious binaries associated with a user in a log found in this folder +# Sample log entry: +# ]LOG]!> From 117b67a1acc1b54c6a2928c780f78f42ba87565d Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 6 Mar 2024 03:25:34 -0500 Subject: [PATCH 3/4] Update SCCMClientLogs.tkape remove trailing space --- Targets/Windows/SCCMClientLogs.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape index 86360baba9..3ec369431e 100644 --- a/Targets/Windows/SCCMClientLogs.tkape +++ b/Targets/Windows/SCCMClientLogs.tkape @@ -5,7 +5,7 @@ Id: 700413f8-703b-44fb-9192-8830ac84b6b0 RecreateDirectories: true Targets: - - Name: SCCM Client Log Files + Name: SCCM Client Log Files Category: Logs Path: C:\Windows\CCM\Logs From 51ffdbecea9424dbbbfa87f23c7711cd01813ecf Mon Sep 17 00:00:00 2001 From: Andrew Rathbun Date: Wed, 13 Mar 2024 23:45:18 -0400 Subject: [PATCH 4/4] update Guides and Templates with better comments re: GUID --- Modules/CompoundModuleGuide.guide | 3 +-- Modules/CompoundModuleTemplate.template | 2 +- Modules/ModuleGuide.guide | 2 +- Modules/ModuleTemplate.template | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide index de125ea21f..b3fbe03883 100644 --- a/Modules/CompoundModuleGuide.guide +++ b/Modules/CompoundModuleGuide.guide @@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: b407d036-eef7-47ba-bd82-5fd5785e1af8 # Required, unique GUID is required for every KAPE Target/Module -BinaryUrl: https://url.goes.here.com # Required +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required ExportFormat: csv # Required FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module Processors: diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template index bcebf75447..99f61df8bd 100644 --- a/Modules/CompoundModuleTemplate.template +++ b/Modules/CompoundModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe diff --git a/Modules/ModuleGuide.guide b/Modules/ModuleGuide.guide index c9c2345b44..7d829001e3 100644 --- a/Modules/ModuleGuide.guide +++ b/Modules/ModuleGuide.guide @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored Author: FirstName LastName # Make sure you get credit for your work Version: 1.0 # Required, iterate as necessary -Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module +Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid BinaryUrl: https://url.goes.here.com ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish diff --git a/Modules/ModuleTemplate.template b/Modules/ModuleTemplate.template index 1f5c0fbc02..b7cd70a767 100644 --- a/Modules/ModuleTemplate.template +++ b/Modules/ModuleTemplate.template @@ -2,7 +2,7 @@ Description: Name of application/artifact here Category: Misc Author: FirstName LastName Version: 1.0 -Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0 +Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please BinaryUrl: https://url.goes.here.com ExportFormat: csv FileMask: FileName.exe