Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update and rename AssetAdvisorLog.tkape to SCCMClientLogs.tkape, minor updates to Guide and Template comments #907

Merged
merged 5 commits into from
Mar 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions Modules/CompoundModuleGuide.guide
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher
Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
Author: FirstName LastName # Make sure you get credit for your work
Version: 1.0 # Required, iterate as necessary
Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module
BinaryUrl: https://url.goes.here.com # Required
Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required
ExportFormat: csv # Required
FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module
Processors:
Expand Down
2 changes: 1 addition & 1 deletion Modules/CompoundModuleTemplate.template
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Description: Name of application/artifact here
Category: Misc
Author: FirstName LastName
Version: 1.0
Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4
Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please
BinaryUrl: https://url.goes.here.com
ExportFormat: csv
FileMask: FileName.exe
Expand Down
2 changes: 1 addition & 1 deletion Modules/ModuleGuide.guide
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required
Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
Author: FirstName LastName # Make sure you get credit for your work
Version: 1.0 # Required, iterate as necessary
Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module
Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid
BinaryUrl: https://url.goes.here.com
ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape
WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish
Expand Down
2 changes: 1 addition & 1 deletion Modules/ModuleTemplate.template
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ Description: Name of application/artifact here
Category: Misc
Author: FirstName LastName
Version: 1.0
Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0
Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please
BinaryUrl: https://url.goes.here.com
ExportFormat: csv
FileMask: FileName.exe
Expand Down
2 changes: 1 addition & 1 deletion Targets/CompoundTargetGuide.guide
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Description: Name of application/artifact here # Required, this will be visible within gKape on the Target side under the Description colum.,
Author: Your name here # Required
Version: 1.0 # Required, increment as revisions are made.
Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here.
Id: a0bd74ff-4848-4663-8093-865394b0da97 # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here.
RecreateDirectories: true # Required, true means the folder structure of the artifacts will be created within the user-specified Target Destination directory. If an artifact is buried 10 folders deep on the suspect's system, it will be buried 10 folders deep within the Target Destination folder.
Targets:
-
Expand Down
2 changes: 1 addition & 1 deletion Targets/CompoundTargetTemplate.template
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Description: Name of application/artifact here # Required
Author: Your name here # Required
Version: 1.0 # Required
Id: Unique GUID here # Required
Id: 89a28b16-15b1-476a-bd17-e3ba2602d5e0 # Required
RecreateDirectories: true # Required
Targets:
-
Expand Down
16 changes: 0 additions & 16 deletions Targets/Windows/AssetAdvisorLog.tkape

This file was deleted.

18 changes: 18 additions & 0 deletions Targets/Windows/SCCMClientLogs.tkape
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Description: SCCM Client Log Files
Author: Andrew Rathbun
Version: 1.0
Id: 700413f8-703b-44fb-9192-8830ac84b6b0
RecreateDirectories: true
Targets:
-
Name: SCCM Client Log Files
Category: Logs
Path: C:\Windows\CCM\Logs

# Documentation
# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/about-log-files#locating-log-files
# Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948
#
# I have seen reference to malicious binaries associated with a user in a log found in this folder
# Sample log entry:
# <![LOG[Add RecentlyUsedApp: <evil.exe DOMAIN\username>]LOG]!><time="12:22:13.679+300" date="02-27-2022" component="AssetAdvisor" context="" type="1" thread="5564" file="aa_recentlyusedapps.cpp:235">
Loading