Merge pull request EricZimmerman#851 from Zawadidone/feature/add_wind…

…ows_modules_and_paths Add new Windows Targets and paths
salty4n6 · Aug 24, 2023 · b90e2c1 · b90e2c1
2 parents ab1409f + fb2ab5a
commit b90e2c1
Show file tree

Hide file tree

Showing 11 changed files with 138 additions and 10 deletions.
diff --git a/Targets/Apps/VNCLogs.tkape b/Targets/Apps/VNCLogs.tkape
@@ -1,6 +1,6 @@
 Description: VNC Logs
 Author: Phill Moore
-Version: 1.1
+Version: 1.2
 Id: b98dab2e-81f3-472e-a22a-05269ad16270
 RecreateDirectories: true
 Targets:
@@ -10,11 +10,23 @@ Targets:
         Path: C:\Users\%user%\AppData\Local\RealVNC\
         FileMask: vncserver.log
         Comment: "https://www.realvnc.com/en/connect/docs/logging.html#logging"
+    -
+        Name: RealVNC Log
+        Category: ApplicationLogs
+        Path: C:\ProgramData\RealVNC-Service
+        FileMask: vncserver.log
+        Comment: "https://help.realvnc.com/hc/en-us/articles/360002254238-All-About-Logging-"
     -
         Name: RealVNC Application Logs
         Category: EventLogs
         Path: ApplicationEvents.tkape
         Comment: "Contains RealVNC entries, event source: VNC Server"
+    -
+        Name: TightVNC Application Logs
+        Category: ApplicationLogs
+        Path: C:\ProgramData\TightVNC\Server\Logs
+        Comment: "https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1160&context=adf"
+
 
 # Documentation
 # https://www.semanticscholar.org/paper/Tracing-VNC-And-RDP-Protocol-Artefacts-on-Windows-Kerai/20467cee88102cffcc2b856b93fc0bb7a58fd499

diff --git a/Targets/Compound/!SANS_Triage.tkape b/Targets/Compound/!SANS_Triage.tkape
@@ -1,6 +1,6 @@
 Description: SANS Triage Collection
 Author: Mark Hallman
-Version: 1.3
+Version: 1.4
 Id: 1bfbd59d-6c58-4eeb-9da7-1d9612b79964
 RecreateDirectories: true
 Targets:
@@ -16,6 +16,10 @@ Targets:
         Name: CombinedLogs
         Category: WindowsLogs
         Path: CombinedLogs.tkape
+    -
+        Name: GroupPolicy
+        Category: GroupPolicy
+        Path: GroupPolicy.tkape
     -
         Name: EvidenceOfExecution
         Category: EvidenceOfExecution
@@ -56,6 +60,10 @@ Targets:
         Name: SUM
         Category: Logs
         Path: SUM.tkape
+    -
+        Name: WER
+        Category: WER
+        Path: WER.tkape
     -
         Name: ThumbCache
         Category: FileKnowledge
@@ -64,6 +72,10 @@ Targets:
         Name: WBEM
         Category: WBEM
         Path: WBEM.tkape
+    -
+        Name: BITS
+        Category: BITS
+        Path: BITS.tkape
     -
         Name: WebBrowsers
         Category: Communications

diff --git a/Targets/Logs/PowerShellConsole.tkape b/Targets/Logs/PowerShellConsole.tkape
@@ -1,17 +1,18 @@
 Description: PowerShell Console Log File
 Author: Mike Cary
-Version: 1.0
+Version: 1.1
 Id: efa4332a-89eb-430c-ab61-006a9e6620d7
 RecreateDirectories: true
 Targets:
     -
         Name: PowerShell Console Log
         Category: PowerShellConsoleLog
         Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
-        FileMask: ConsoleHost_history.txt
+        FileMask: '*_history.txt'
 
 # Documentation
 # https://community.sophos.com/malware/b/blog/posts/powershell-command-history-forensics
 # https://darizotas.blogspot.com/2018/10/forensics-powershell-artifacts.html
 # https://digital-forensics.sans.org/media/DFPS_FOR508_v4.4_1-19.pdf
 # https://www.forensafe.com/blogs/powershell.html
+# https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history
diff --git a/Targets/Windows/Drivers.tkape b/Targets/Windows/Drivers.tkape
@@ -0,0 +1,15 @@
+Description: Windows Drivers
+Author: Zawadi Done
+Version: 1.0
+Id: fc56e4eb-c9e6-481f-9f57-6b24ba8bcbfb
+RecreateDirectories: true
+Targets:
+    -
+        Name: Drivers
+        Category: Drivers
+        Path: C:\Windows\system32\drivers\
+        FileMask: '*.sys'
+        Recursive: true
+
+# Documentation
+# N/A
diff --git a/Targets/Windows/GroupPolicy.tkape b/Targets/Windows/GroupPolicy.tkape
@@ -1,14 +1,24 @@
 Description: Current Group Policy Enforcement
 Author: piesecurity
-Version: 1.0
+Version: 1.1
 Id: e5595e9c-ebab-41db-a688-fdffe91f6fcb
 RecreateDirectories: true
 Targets:
     -
-        Name: Local Group Policy INI Files
+        Name: Group Policy Files
         Category: Communication
         Path: C:\Windows\System32\grouppolicy\
-        FileMask: '*.ini'
+        Recursive: true
+    -
+        Name: Computer Group Policy files
+        Category: Communication
+        Path: C:\ProgramData\Microsoft\Group Policy\History\
+        Recursive: true
+    -
+        Name: User Group Policy files
+        Category: Communication
+        Path: C:\Users\%user%\AppData\Local\Microsoft\Group Policy\History
+        Recursive: true
     -
         Name: Local Group Policy INI Files
         Category: Communication
@@ -37,3 +47,4 @@ Targets:
 
 # Documentation
 # https://medium.com/@grzegorztworek/gpo-group-policy-object-is-one-of-the-most-useful-features-of-the-windows-ecosystem-73b6eeab812
+# https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/remove-this-item-if-it-is-no-longer-applied-option
diff --git a/Targets/Windows/LogFiles.tkape b/Targets/Windows/LogFiles.tkape
@@ -1,6 +1,6 @@
 Description: LogFiles (includes SUM)
 Author: Fabian Murer
-Version: 1.0
+Version: 1.1
 Id: 67c9bb8d-342b-4380-a110-565317fce014
 RecreateDirectories: true
 Targets:
@@ -14,6 +14,12 @@ Targets:
         Category: Logs
         Path: C:\Windows.old\Windows\System32\LogFiles\
         Recursive: true
+    -
+        Name: Error logging
+        Category: Misc
+        Path: C:\windows\
+        FileMask: PFRO.log
+    -
 
 # Documentation
 # https://digital-forensics.sans.org/community/papers/gcfa/forensic-analysis-windows-2000-server-iis-oracle_112

diff --git a/Targets/Windows/PushNotification.tkape b/Targets/Windows/PushNotification.tkape
@@ -0,0 +1,20 @@
+Description: Windows Push Notification Service
+Author: Zawadi Done
+Version: 1.0
+Id: 49545136-dddd-4255-a5b5-c977bb72fded
+RecreateDirectories: true
+Targets:
+    -
+        Name: WNS
+        Category: WNS
+        Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\
+        FileMask: appdb.dat
+    -
+        Name: WNS
+        Category: WNS
+        Path: C:\Users\%user\AppData\Local\Microsoft\Windows\Notifications\
+        FileMask: wpndatabase.db
+
+# Documentation
+# https://forensafe.com/blogs/winnotifications.html
+# https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview
diff --git a/Targets/Windows/ScheduledTasks.tkape b/Targets/Windows/ScheduledTasks.tkape
@@ -1,6 +1,6 @@
 Description: Scheduled tasks (*.job and XML)
 Author: Eric Zimmerman
-Version: 1.0
+Version: 1.1
 Id: e5dc4367-2e6b-49bf-a90a-d4c1598bbe28
 RecreateDirectories: true
 Targets:
@@ -29,6 +29,11 @@ Targets:
         Category: Persistence
         Path: C:\Windows\System32\Tasks\
         Recursive: true
+    -
+        Name: XML
+        Category: Persistence
+        Path: C:\Windows\syswow64\Tasks\
+        Recursive: true
     -
         Name: XML
         Category: Persistence
@@ -40,3 +45,4 @@ Targets:
 # https://www.sans.org/blog/windows-scheduler-at-job-forensics
 # https://forensicswiki.xyz/wiki/index.php?title=Windows_Job_File_Format
 # https://www.forensafe.com/blogs/taskschd.html
+# https://stmxcsr.com/persistence/scheduled-tasks.html
diff --git a/Targets/Windows/WER.tkape b/Targets/Windows/WER.tkape
@@ -1,6 +1,6 @@
 Description: Windows Error Reporting
 Author: Troy Larson
-Version: 1.0
+Version: 1.1
 Id: 03106a1c-e1f8-4075-abdb-f9c83078347d
 RecreateDirectories: true
 Targets:
@@ -9,6 +9,11 @@ Targets:
         Category: Executables
         Path: C:\ProgramData\Microsoft\Windows\WER\
         Recursive: true
+    -
+        Name: WER Files
+        Category: Executables
+        Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\WER\
+        Recursive: true
     -
         Name: Crash Dumps
         Category: SQL Exploitation

diff --git a/Targets/Windows/WindowsNetwork.tkape b/Targets/Windows/WindowsNetwork.tkape
@@ -0,0 +1,13 @@
+Description: Windows Networks settings
+Author: Zawadi Done
+Version: 1.0
+Id: aeacb435-8929-4414-b1ee-24d4f7273ea5
+RecreateDirectories: true
+Targets:
+        Name: Network setting files
+        Category: Misc
+        Path: C:\windows\system32\drivers\etc
+        Recursive: true
+
+# Documentation
+# N/A
diff --git a/Targets/Windows/WindowsServerDNSAndDHCP.tkape b/Targets/Windows/WindowsServerDNSAndDHCP.tkape
@@ -0,0 +1,27 @@
+Description: Windows Server DNS and DHCP log files
+Author: Zawadi Done
+Version: 1.1
+Id: 2f6dc2b4-cbdf-4a11-807d-da2f885daafd
+RecreateDirectories: true
+Targets:
+    -
+        Name: DNS Netlogon files
+        Category: DNS
+        Path: C:\Windows\System32\config\
+        FileMask: 'netlogon.*'
+        Recursive: true
+    -
+        Name: DNS files
+        Category: DNS
+        Path: C:\Windows\System32\dns\
+        Recursive: true
+    -
+        Name: DHCP files
+        Category: DHCP
+        Path: C:\Windows\System32\dhcp
+        Recursive: true
+
+# Documentation
+# https://windowstechno.com/what-is-netlogon/
+# https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created
+# https://www.oreilly.com/library/view/windows-server-2008/9780735624375/ch19s06.html