Merge branch 'EricZimmerman:master' into master

.gitignore

@@ -3,3 +3,4 @@ gkape.exe
 *.cli
 .DS_Store
 *.swp
+*ConsoleLog.txt

Modules/Apps/GitHub/Ese2csv_SRUM.mkape

@@ -0,0 +1,18 @@
+Description: 'Ese2csv: Parsing SRUM Database'
+Category: SRUMDatabase
+Author: Max Ye
+Version: 1.0
+Id: 852b64c1-fd0e-47ec-8aa4-0994dbf5d8d1
+BinaryUrl: https://github.com/MarkBaggett/ese-analyst/archive/master.zip
+ExportFormat: csv
+Processors:
+    -
+        Executable: ese-analyst\ese2csv.exe
+        CommandLine: -o %destinationDirectory% -p srudb_plugin --plugin-args "%sourceDirectory%\Windows\System32\config\SOFTWARE" -- "%sourceDirectory%\Windows\System32\sru\SRUDB.dat"
+        ExportFormat: csv
+
+# Documentation
+# https://github.com/MarkBaggett/ese-analyst
+# Create a folder "ese-analyst" within the ".\KAPE\Modules\bin" folder
+# Place both files "ese2csv.exe" and "srudb_plugin.py" into ".\KAPE\Modules\bin\ese-analyst"
+# When using this Module, the Module source should be set to OS drive root directory (e.g. C:\), because parameters use absolute paths

Modules/Apps/GitHub/Hayabusa/hayabusa_OfflineEventLogs.mkape

@@ -1,14 +1,14 @@
 Description: Hayabusa a timeline generator for Windows event logs - Offline
 Category: EventLogs
 Author: Georg Lauenstein (sure[secure])
-Version: 1.3
+Version: 1.4
 Id: 49f9cd2d-3da5-4349-a9aa-c2b450582ccc
 BinaryUrl: https://github.com/Yamato-Security/hayabusa/releases
 ExportFormat: json
 Processors:
     -
         Executable: hayabusa\hayabusa.exe
-        CommandLine: csv-timeline -d %sourceDirectory% --profile standard --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv
+        CommandLine: csv-timeline -d %sourceDirectory% --profile standard -w --quiet --UTC -o %destinationDirectory%\hayabusa_events_offline.csv
         ExportFormat: csv
     -
         Executable: hayabusa\hayabusa.exe

Modules/Apps/GitHub/Mplog-Parser.mkape

@@ -0,0 +1,21 @@
+Description: 'Mplog-Parser: parses Microsoft Protection log files into CSV files'
+Category: Antivirus
+Author: Thomas DIOT (Qazeer)
+Version: 1.0
+Id: 6084c8ab-2059-41a4-89f4-dba2cfdb4bb4
+BinaryUrl: https://github.com/Qazeer/mplog_parser-compiled/releases/download/v1.0/mplog_parser.exe
+ExportFormat: csv
+Processors:
+    -
+        Executable: mplog_parser.exe
+        CommandLine: -d "%SourceDirectory%\ProgramData\Microsoft\Windows Defender\Support" -o "%destinationDirectory%"
+        ExportFormat: csv
+
+# Documentation
+# Mplog-Parser parses Microsoft Protection log files into a number of CSV files.
+# mplog_parser source: https://github.com/Intrinsec/mplog_parser
+# Compiled version: https://github.com/Qazeer/mplog_parser-compiled
+# Information on Windows Defender MPLog:
+# https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/
+# https://www.intrinsec.com/hunt-mplogs/
+# https://artefacts.help/windows_defender_support_logs.html

Modules/Apps/GitHub/ObsidianForensics_Hindsight.mkape

@@ -12,7 +12,7 @@ Processors:
         ExportFormat: xlsx
     -
         Executable: hindsight.exe
-        CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f json
+        CommandLine: -i %sourceDirectory% -o %destinationDirectory%\Hindsight_output -f jsonl
         ExportFormat: json
 
 # Documentation

Modules/Apps/GitHub/SRUMDump.mkape

@@ -1,14 +1,14 @@
 Description: 'SRUM-dump: Dump contents of the SRUM database'
 Category: SystemActivity
 Author: Brian Maloney, Jay Houlden, Vito Alfano
-Version: 1.2
+Version: 1.3
 Id: 74ee622c-2fb2-11ee-be56-0242ac120002
-BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.5/srum_dump2.exe
+BinaryUrl: https://github.com/MarkBaggett/srum-dump/releases/download/2.6/srum_dump2.6.exe
 ExportFormat: xlsx
 Processors:
     -
-        Executable: srum_dump2.exe
-        CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\sdrum_dump_result.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet
+        Executable: srum_dump.exe
+        CommandLine: --SRUM_INFILE %sourceDirectory%\Windows\System32\sru\SRUDB.dat --XLSX_OUTFILE %destinationDirectory%\srum_dump_result.xlsx  --XLSX_TEMPLATE SRUM_TEMPLATE3.xlsx --REG_HIVE %sourceDirectory%\Windows\System32\config\SOFTWARE --quiet
         ExportFormat: xlsx
 
 # Documentation

Modules/Apps/NTFSLogTracker_$J.mkape

@@ -3,7 +3,7 @@ Category: FileSystem
 Author: Hyun Yi @hyuunnn and Vito Alfano
 Version: 1.1
 Id: 74ee5d04-2fb2-11ee-be56-0242ac120002
-BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web
+BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
 ExportFormat: sqlite3
 FileMask: $J
 Processors:

Modules/Apps/NTFSLogTracker_$LogFile.mkape

@@ -3,17 +3,17 @@ Category: FileSystem
 Author: Hyun Yi @hyuunnn and Vito Alfano
 Version: 1.1
 Id: 74ee60a6-2fb2-11ee-be56-0242ac120002
-BinaryUrl: https://drive.google.com/file/d/12Xzp0GW9KqaejFrK7ewGYzKWNEjRgP1P/view?usp=drive_web
+BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
 ExportFormat: sqlite3
-FileMask: $J
+FileMask: $LogFile
 Processors:
     -
         Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe
-        CommandLine: -u %sourceFile% -o %destinationDirectory%
+        CommandLine: -l %sourceFile% -o %destinationDirectory%
         ExportFormat: sqlite3
     -
         Executable: NTFS Log Tracker v1.71 CMD\NTFS_Log_Tracker_CMD.exe
-        CommandLine: -u %sourceFile% -o %destinationDirectory% -c
+        CommandLine: -l %sourceFile% -o %destinationDirectory% -c
         ExportFormat: csv
 
 # Documentation

Modules/Compound/NTFSLogTracker.mkape

@@ -3,7 +3,7 @@ Category: FileSystem
 Author: Hyun Yi @hyuunnn
 Version: 1.0
 Id: 094e8964-ea15-4be1-869d-7b8fa1b55ada
-BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/NTFS Log Tracker v1.6 CMD.zip
+BinaryUrl: https://sites.google.com/site/forensicnote/ntfs-log-tracker/
 ExportFormat: sqlite3
 Processors:
     -

Modules/CompoundModuleGuide.guide

@@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher
 Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
 Author: FirstName LastName # Make sure you get credit for your work
 Version: 1.0 # Required, iterate as necessary
-Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module
-BinaryUrl: https://url.goes.here.com # Required
+Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required
 ExportFormat: csv # Required
 FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module
 Processors:

Modules/CompoundModuleTemplate.template

@@ -2,7 +2,7 @@ Description: Name of application/artifact here
 Category: Misc
 Author: FirstName LastName
 Version: 1.0
-Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4
+Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv
 FileMask: FileName.exe

Modules/ModuleGuide.guide

@@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required
 Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
 Author: FirstName LastName # Make sure you get credit for your work
 Version: 1.0 # Required, iterate as necessary
-Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module
+Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape
 WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish

Modules/ModuleTemplate.template

@@ -2,7 +2,7 @@ Description: Name of application/artifact here
 Category: Misc
 Author: FirstName LastName
 Version: 1.0
-Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0
+Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv
 FileMask: FileName.exe

Modules/Windows/Powershell_Wireless_Network_Connections.mkape

@@ -0,0 +1,14 @@
+Description: Extract Wireless Network Connections details via powershell
+Category: LiveResponse
+Author: Vito Alfano
+Version: 1.0
+Id: 5021953e-b8b8-482d-8d23-a0f901dff84d
+ExportFormat: txt
+Processors:
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: -Command "(netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize > %destinationDirectory%\Wireless_Network.txt"
+        ExportFormat: txt
+
+# Documentation
+# N/A

Targets/Apps/4KVideoDownloader.tkape

@@ -1,6 +1,6 @@
 Description: 4K Video Downloader
 Author: Andrew Rathbun
-Version: 1.0
+Version: 1.1
 Id: e33d4392-459b-459e-82e0-d9c624adbfbc
 RecreateDirectories: true
 Targets:
@@ -10,6 +10,12 @@ Targets:
         Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader
         FileMask: "*.sqlite"
         Comment: "Grabs database(s) that stores user download history"
+    -
+        Name: 4K Video Downloader+
+        Category: Apps
+        Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader+\4K Video Downloader+
+        FileMask: "*.sqlite"
+        Comment: "Grabs database(s) that stores user download history"
 
 # Documentation
 # https://www.4kdownload.com/products/product-videodownloader

Targets/Apps/Megasync.tkape

@@ -0,0 +1,14 @@
+Description: MegaSync Data Collection
+Author: Vito Alfano
+Version: 1.0
+Id: a6c7f66e-b37c-4895-98c3-4eb9775623cf
+RecreateDirectories: true
+Targets:
+    -
+        Name: MegaSync Folder
+        Category: ApplicationLogs
+        Path: C:\Users\%user%\AppData\Local\Mega Limited\MEGAsync\
+        Recursive: true
+
+# Documentation
+# N/A

Targets/Apps/NetMonitorforEmployeesProfessional.tkape

@@ -0,0 +1,54 @@
+Description: Net Monitor for Employees Pro
+Author: Tristan PINCEAUX - CERT CWATCH - ALMOND
+Version: 1.0
+Id: f944d8e5-e7c6-49ac-9c26-b1360fa518cc
+RecreateDirectories: true
+Targets:
+    -
+        Name: Net Monitor Server Logs
+        Category: ApplicationLogs
+        Path: C:\ProgramData\Net Monitor for Employees Pro\log\%user%\
+        Recursive: true
+        Comment: "Contains Net Monitor server logs"
+
+    -
+        Name: Net Monitor Server Data
+        Category: Communication
+        Path: C:\ProgramData\Net Monitor for Employees Pro\data\
+        Recursive: true
+        Comment: "Contains Net Monitor server data - Indicates what have been seen as the attacker"
+
+    -
+        Name: Net Monitor Server Config
+        Category: Apps
+        Path: C:\ProgramData\Net Monitor for Employees Pro\config\
+        Recursive: true
+        Comment: "Contains Net Monitor server config"
+
+    -
+        Name: Net Monitor Server Temp Folder
+        Category: Apps
+        Path: C:\ProgramData\Net Monitor for Employees Pro\tmp\
+        Recursive: true
+
+    -
+        Name: Net Monitor Client Logs
+        Category: ApplicationLogs
+        Path: C:\Program Files*\Net Monitor for Employees Pro\log\
+        Recursive: true
+        Comment: "Contains Net Monitor client logs"
+
+    -
+        Name: Net Monitor Client Config
+        Category: ApplicationLogs
+        Path: C:\Program Files*\Net Monitor for Employees Pro\config\
+        Recursive: true
+        Comment: "Contains Net Monitor client config"
+
+# Documentation
+# https://networklookout.com/
+# https://networklookout.com/doc/NetMonitorForEmployees.pdf
+# Net Monitor for employees is a monitoring software for office, that allows live screen monitoring and employee activity tracking.
+# It can be used as remote access tool, to control applications and processes, to fetch and drop files on target, and to deploy further malicious binaries.
+# It can also be used as a keylogger to collect further credentials on compromised targets.
+# We have seen this tool used in financial scam and data theft.

Targets/Apps/Notion.tkape

@@ -0,0 +1,24 @@
+Description: Notion Note-Taking App
+Author: Thomas Burnette
+Version: 1.0
+Id: 95afe81f-6301-4a7f-996b-c69443e7c2d9
+RecreateDirectories: true
+Targets:
+    -
+        Name: Notion Local Storage
+        Category: App
+        Path: C:\Users\%user%\AppData\Roaming\Notion
+        FileMask: 'notion.db'
+        Comment: "Local storage file containing all pages, databases, users, etc."
+    -
+        Name: Notion Custom Dictionary
+        Category: App
+        Path: C:\Users\%user%\AppData\Roaming\Notion\Partitions\notion
+        FileMask: 'Custom Dictionary.txt'
+
+# Documentation
+# https://www.notion.so/
+# Notion is a freemium productivity and note-taking app. It includes organizational tools such as task management, project tracking, to-do lists, and bookmarking.
+# When using the Notion app for Windows, Notion stores all pages, users, databases, etc. in a SQLite database, notion.db.
+# This includes creation and modification timestamps for all entries.
+# Additionally, Notion stores the user's Custom Dictionary in a text file.

Targets/Apps/RcloneConf.tkape

@@ -0,0 +1,17 @@
+Description: Rclone config file
+Author: Eric Capuano
+Version: 1.0
+Id: 639f9e55-1ee1-4af4-be7c-e6303ffb4b0c
+RecreateDirectories: true
+Targets:
+    -
+        Name: Rclone Config
+        Category: Apps
+        Path: C:\
+        FileMask: 'rclone.conf'
+        Recursive: true
+
+# Documentation
+# Rclone is a popular exfil tool that supports many cloud storage services
+#
+# https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/