Merge branch 'master' of https://github.com/rathbuna/KapeFiles

b1540p · Apr 3, 2021 · e13c0e6 · e13c0e6
2 parents 5e7b5b6 + c1e7dd8
commit e13c0e6
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/Modules/Misc/SumECmd.mkape b/Modules/Misc/SumECmd.mkape
@@ -1,14 +1,14 @@
 Description: 'SumECmd: Process Microsoft User Access Logs'
 Category: SUMDatabase
 Author: Andrew Rathbun
-Version: 1.0
+Version: 1.1
 Id: ac99af84-33b7-4f85-a9fa-146cd2fd6e31
 BinaryUrl: https://f001.backblazeb2.com/file/EricZimmermanTools/SumECmd.zip
 ExportFormat: csv
 Processors:
     -
         Executable: SumECmd.exe
-        CommandLine: -d %sourceDirectory%\Users\Windows\System32\LogFiles\SUM --csv %destinationDirectory%
+        CommandLine: -d %sourceDirectory%\Windows\System32\LogFiles\SUM --csv %destinationDirectory%
         ExportFormat: csv
 
 # Documentation
@@ -18,4 +18,5 @@ Processors:
 # .\KAPE\Targets\Windows\LogFiles.tkape will capture the SUM Database which is located at C:\Windows\System32\LogFiles\SUM
 # This Module is meant to work in conjunction with the LogFiles.tkape acquiring the necessary files for SumECmd to parse in one fell swoop.
 # When running this Module by itself, make sure your Module Source is pointed to the root of a drive or a folder path with structure similar to what is listed within the CommandLine above, if possible.
+# You very well may need to manually add the drive letter in the command line for this Module to work properly. It all depends on where your source directory is pointed to.
 # If that's not the case, then run the SumECmd tool by itself against your directory with a similar command as stated above or modify the path within the CommandLine of your local copy of this Module to make it fit your circumstances.
diff --git a/Targets/Apps/ExchangeCve-2021-26855.tkape b/Targets/Apps/ExchangeCve-2021-26855.tkape
@@ -0,0 +1,40 @@
+Description: Exchange Server Vulnerability *.Compiled Files
+Author: Dennis Reneau
+Version: 1.0
+Id: e7dc72be-942c-4fef-aa45-252bf2364b1e
+RecreateDirectories: true
+Targets:
+    -
+        Name: Exchange Server Modified Compiled Files
+        Category: Apps
+        Path: C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\
+        Recursive: true
+        FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled'
+        Comment: "Highly dependent on Exchange configuration"
+    -
+        Name: Exchange Server Modified Compiled Files
+        Category: Apps
+        Path: C:\inetpub\wwwroot\aspnet_client
+        Recursive: true
+        FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled'
+        Comment: "Highly dependent on Exchange configuration"
+    -
+        Name: Exchange Server Modified Compiled Files
+        Category: Apps
+        Path: C:\inetpub\wwwroot\aspnet_client\system_web\
+        Recursive: true
+        FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled'
+        Comment: "Highly dependent on Exchange configuration"
+    -
+        Name: Exchange Server Modified Compiled Files
+        Category: Apps
+        Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
+        Recursive: true
+        FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled'
+        Comment: "Highly dependent on Exchange configuration"
+
+# Documentation
+# Microsoft Exchange CVE-2021-26855
+# Identified *.compound files are modified XML files associated with malicious dll's.
+# https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/
+# Query for WebShell IOC's with randomized 8 character names preceding the .compiled file extension.
diff --git a/Targets/Compound/SQLDatabases.tkape b/Targets/Compound/SQLDatabases.tkape
@@ -171,6 +171,7 @@ Targets:
 
 # Web Browsers - Chrome - Chrome.tkape
 
+    -
         Name: Chrome bookmarks XP
         Category: SQLDatabases
         Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\
@@ -550,6 +551,6 @@ Targets:
 
 # Documentation
 # This Target is meant to pull all SQLite databases for which there are currently (or soon will be) SQLECmd Maps - https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
-# This Target will likely be updatd often as more SQLECmd Maps are created
+# This Target will likely be updated often as more SQLECmd Maps are created
 # Despite not pointing to other .tkape files directly in the interest of only grabbing SQL databases, this Target is considered a Compound Target since it references many other Targets
 # Use with SQLECmd.mkape or SQLECmd-Hunt.mkape for best results