Skip to content

Commit

Permalink
Merge pull request EricZimmerman#378 from rathbuna/master
Browse files Browse the repository at this point in the history
Various updates/YAML Test
  • Loading branch information
EricZimmerman authored Jan 30, 2021
2 parents 405611c + 8876734 commit 7dc47a5
Show file tree
Hide file tree
Showing 245 changed files with 666 additions and 670 deletions.
2 changes: 1 addition & 1 deletion Modules/!Disabled/Plaso.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Processors:
# https://plaso.readthedocs.io/en/latest/sources/user/Using-psteal.html
# The Plaso executables are accessed via a symbolic link from the kape/bin folder to the plaso folder.
# mklink /D <kape/plaso folder> <path to plaso dir>
# Example: mklink /D C:\KAPE\Modules\bin\Plaso C:\plaso
# Example: mklink /D C:\KAPE\Modules\bin\Plaso C:\plaso
#
# This module runs against a forensic image (E01, dd) or a folder structure. Most common use will be
# against a folder structure. vhdx and vhd files will need to be mounted before running this module
Expand Down
6 changes: 3 additions & 3 deletions Modules/LiveResponse/DumpIt.mkape
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Description: DumpIt Memory Acquisition
Category: Memory
Author: Doug Metz
Author: Doug Metz
Version: 1.0
Id: 7504551a-41b6-4287-ad8a-ee0a10a66f7d
BinaryUrl: https://my.comae.com
ExportFormat: dmp
Processors:
-
Executable: DumpIt.exe
CommandLine: /O %destinationDirectory%/memdump.dmp /Q
Executable: DumpIt.exe
CommandLine: /O %destinationDirectory%/memdump.dmp /Q
ExportFormat: dmp

# Documentation
Expand Down
2 changes: 1 addition & 1 deletion Modules/LiveResponse/EDD.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ExportFormat: txt
Processors:
-
Executable: EDD\EDDv300.exe
CommandLine: /batch >> %destinationDirectory%
CommandLine: /batch >> %destinationDirectory%
ExportFormat: txt
ExportFile: EDD.txt

Expand Down
2 changes: 1 addition & 1 deletion Modules/LiveResponse/Hashes.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,5 @@ Processors:
#
# Remember: NTLM-hash 31d6cfe0d16ae931b73c59d7e0c089c0 means "blank"
#
# Example:
# Example:
#.\kape.exe --msource C:\kape\path\to\acquired\Windows\System32\config --mdest C:\kape\out --module Hashes
2 changes: 1 addition & 1 deletion Modules/LiveResponse/NetSystemInfo.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Category: LiveResponse
Author: piesecurity, Andreas Hunkeler (@Karneades)
Version: 1.1
Id: be86ac26-4eea-4bcb-b5ae-9686ad0557c4
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: NetSystemInfo_User.mkape
Expand Down
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_Accounts.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: 6ec49720-1afc-4b89-9454-1398430cb31f
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: Accounts
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_File.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: fb732a7a-e5f3-484e-95dd-d49cdac29391
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: File
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_LocalGroup.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: a9789a17-1061-4a66-b5da-419223bb6c09
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: LocalGroup
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_Session.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: 878ca28e-aa20-4e2e-b3d4-2a30402057d6
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: Session
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_Share.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: aba1ed38-d670-4db1-be70-bebb0a6a4ef3
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: Share
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_Start.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: aa1b7b54-2e33-486c-9b4d-eb467e9e6ea3
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: Start
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_Use.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: 979b4a71-abf8-4f0b-9b94-51e9c1384888
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: Use
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true
4 changes: 2 additions & 2 deletions Modules/LiveResponse/NetSystemInfo_User.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: 12589aca-921f-42a0-8806-5174bfa511fd
ExportFormat: txt
ExportFormat: txt
Processors:
-
Executable: C:\Windows\System32\net.exe
CommandLine: User
ExportFormat: txt
ExportFile: NetSystemInfo.txt
Append: True
Append: true

# Documentation
# https://docs.microsoft.com/en-us/windows/win32/winsock/net-exe-2
4 changes: 2 additions & 2 deletions Modules/LiveResponse/PWSH-Get-CimInstance_ProcessList.mkape
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Description: Display running processes and context information
Description: Display running processes and context information
Category: LiveResponse
Author: Markus Neis, Swisscom
Version: 1.0
Expand All @@ -7,7 +7,7 @@ ExportFormat: csv
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: -Command "Get-CimInstance Win32_Process | select ProcessId, ProcessName, Path, CommandLine, Description, ParentProcessId , CreationDate, Handle, HandleCount, @{Label='MD5'; Expression={(Get-FileHash -Algorithm MD5 -LiteralPath $_.Path).Hash}} | Export-Csv -NoTypeInformation -Path %destinationDirectory%\PWSH-Get-CIM_ProcessList.csv"
CommandLine: -Command "Get-CimInstance Win32_Process | select ProcessId, ProcessName, Path, CommandLine, Description, ParentProcessId , CreationDate, Handle, HandleCount, @{Label='MD5'; Expression={(Get-FileHash -Algorithm MD5 -LiteralPath $_.Path).Hash}} | Export-Csv -NoTypeInformation -Path %destinationDirectory%\PWSH-Get-CIM_ProcessList.csv"
ExportFormat: csv
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Expand Down
4 changes: 2 additions & 2 deletions Modules/LiveResponse/PWSH-Get-ProcessList.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ Category: LiveResponse
Author: piesecurity
Version: 1.0
Id: d9bf9198-72e4-4f01-8ec9-e8ec4e322c06
ExportFormat: csv
ExportFormat: csv
Processors:
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},CreationDate,ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA-256'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA256CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | Export-Csv -NoTypeInformation -Path %destinationDirectory%\PWSH-Get-ProcessList.csv "
CommandLine: -Command "Get-WMIObject Win32_Process | Select-Object Name,ProcessID,Path,commandline,@{Label='Owner'; Expression={(Get-Process -PID $_.ProcessID -IncludeUserName).UserName}},CreationDate,ThreadCount,HandleCount,VirtualSize,Priority,@{Label='PriorityClass'; Expression={(Get-Process -PID $_.ProcessID).PriorityClass}},@{Label='Security ID'; Expression={$_.getownersid().SID}},@{Label='TotalProcessorTime'; Expression={(Get-Process -PID $_.ProcessID).TotalProcessorTime}},@{Label='Parent Path'; Expression={(Get-Process -PID $_.ParentProcessId).Path}},ParentProcessId,@{Label='Company'; Expression={(Get-Process -PID $_.ProcessID).Company}},@{Label='ProductVersion'; Expression={(Get-Process -PID $_.ProcessID).ProductVersion}},@{Label='Description'; Expression={(Get-Process -PID $_.ProcessID).Description}},@{Label='Product'; Expression={(Get-Process -PID $_.ProcessID).Product}},@{Label='FileVersion'; Expression={(Get-Process -PID $_.ProcessID).FileVersion}},@{Label='File Path SHA-256'; Expression={[System.BitConverter]::ToString( (New-Object System.Security.Cryptography.SHA256CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes($_.Path))) -replace '-'}} | Export-Csv -NoTypeInformation -Path %destinationDirectory%\PWSH-Get-ProcessList.csv "
ExportFormat: csv
-
Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Expand Down
3 changes: 1 addition & 2 deletions Modules/LiveResponse/ProcessDetails.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ Processors:
Executable: Get-InjectedThread.mkape
CommandLine: ""
ExportFormat: ""

# Documentation
# As this processes live data off the sytem any directory can be set as "msource"

2 changes: 1 addition & 1 deletion Modules/LiveResponse/TDSSKiller.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ Processors:
Executable: TDSSKiller\tdsskiller.exe
CommandLine: -accepteula -accepteulaksn -sigcheck -tdlfs -silent -l %destinationDirectory%\tdsskiller.txt
ExportFormat: txt

# Documentation
# Create a folder "TDSSKiller" within the "Modules\bin" KAPE folder
# Place "tdsskiller.exe" file into "Modules\bin\TDSSKiller"
6 changes: 3 additions & 3 deletions Modules/LiveResponse/WinPmem.mkape
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Description: WinPmem Memory Dump
Category: Memory
Author: Eric Capuano
Author: Eric Capuano
Version: 3.0
Id: 1d284835-417b-459e-a396-d228edea3808
BinaryUrl: https://github.com/Velocidex/c-aff4/releases/download/3.2/winpmem_3.2.exe
Expand All @@ -15,11 +15,11 @@ Processors:
# https://winpmem.velocidex.com/
# https://github.com/Velocidex/WinPmem
# 1. Download winpmem_3.2.exe using the link above; also tested with winpmem_3.3.rc1.exe. Other versions may work, but are untested.
# 2. Rename the binary to winpmem.exe (dropping the version number)
# 2. Rename the binary to winpmem.exe (dropping the version number)
# 3. Place the binary into '<KAPE_working_directory>/Modules/bin'
# - KAPE should now be able to find the executable at '<KAPE_working_directory>/Modules/bin/winpmem.exe'
#
# To obtain a compressed AFF4 memory dump, swap `--format raw` for `--format map` in the command line parameter above.
#
# Example usage:
# Example usage:
# kape.exe --tsource C --target EventLogs --tdest "C:\temp\tdest" --module WinPmem --mdest "C:\temp\mdest" --mflush --tflush
2 changes: 1 addition & 1 deletion Modules/LiveResponse/bitlocker-key.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Processors:

# Documentation
# Updated to directly reference the system path
# NOTE: When using the bitlocker related modules, specify --msource as JUST the drive letter and colon.
# NOTE: When using the bitlocker related modules, specify --msource as JUST the drive letter and colon.
# DO NOT include the trailing slash or the command will error out.
# DO this: --msource C:
# NOT this: --msource C:\
Expand Down
2 changes: 1 addition & 1 deletion Modules/LiveResponse/handle.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -a -u -accepteula
ExportFormat: txt
ExportFile: handles.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/handle
2 changes: 1 addition & 1 deletion Modules/LiveResponse/psfile.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -accepteula
ExportFormat: txt
ExportFile: psfile.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/psfile
2 changes: 1 addition & 1 deletion Modules/LiveResponse/psinfo.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -h -s -d -c -accepteula
ExportFormat: csv
ExportFile: psinfo.csv

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/psinfo
2 changes: 1 addition & 1 deletion Modules/LiveResponse/pslist.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -x -accepteula
ExportFormat: txt
ExportFile: pslist.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/pslist
2 changes: 1 addition & 1 deletion Modules/LiveResponse/psloggedon.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -accepteula
ExportFormat: txt
ExportFile: PsLoggedOn.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon
2 changes: 1 addition & 1 deletion Modules/LiveResponse/psservice.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -accepteula
ExportFormat: txt
ExportFile: PsService.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
2 changes: 1 addition & 1 deletion Modules/LiveResponse/pstree.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -t -accepteula
ExportFormat: txt
ExportFile: pstree.txt

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/pslist
2 changes: 1 addition & 1 deletion Modules/LiveResponse/tcpvcon.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ Processors:
CommandLine: -a -n -c -accepteula
ExportFormat: csv
ExportFile: tcpvcon.csv

# Documentation
# https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
2 changes: 1 addition & 1 deletion Modules/timelining/EVT_Application_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: evtparse -e %sourceFile% -t -s %computerName%
ExportFormat: csv
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/Tools/tree/master/exe
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/EVT_Security_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: evtparse -e %sourceFile% -t -s %computerName%
ExportFormat: csv
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/Tools/tree/master/exe
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/EVT_System_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: evtparse -e %sourceFile% -t -s %computerName%
ExportFormat: csv
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/Tools/tree/master/exe
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/EvtxECmd_to_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Processors:
CommandLine: -f %destinationDirectory%\evtx_for_timeline.csv
ExportFormat: txt
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/mdegrazia/KAPE_Tools
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/MFTECmd_$MFT_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Processors:
CommandLine: -f %destinationDirectory%\mft_bodyfile -s %computerName%
ExportFormat: txt
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/Tools/tree/master/exe
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/RegRipper_AppCompatCache_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: -r %sourceFile% -p appcompatcache_tln -s %computerName%
ExportFormat: txt
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/RegRipper3.0
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/RegRipper_NTUSER_muicache_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: -r %sourceFile% -p muicache_tln -u %sourceFile% -s %computerName%
ExportFormat: txt
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/RegRipper3.0
Expand Down
2 changes: 1 addition & 1 deletion Modules/timelining/RegRipper_NTUSER_userassit_TLN.mkape
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Processors:
CommandLine: -r %sourceFile% -p userassist_tln -u %sourceFile% -s %computerName%
ExportFormat: txt
ExportFile: temp.tln
Append: True
Append: true

# Documentation
# https://github.com/keydet89/RegRipper3.0
Expand Down
Loading

0 comments on commit 7dc47a5

Please sign in to comment.