Merge branch 'master' of https://github.com/dfirtnt/KapeFiles

salty4n6 · Aug 30, 2023 · e6d1ee4 · e6d1ee4
2 parents 205e594 + b7afdfb
commit e6d1ee4
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/Action1.tkape b/Action1.tkape
@@ -0,0 +1,17 @@
+Description: Action1 Application Logs
+Author: Andrew Skatoff @DFIR_TNT
+Version: 1.0
+Id: 9cdf145a-c67e-45cd-bdec-1bcfeb2d50b1
+RecreateDirectories: true
+Targets:
+    -
+        Name: Action1 Client Application logs
+        Category: ApplicationLogs
+        Path: C:\Windows\Action1\logs
+        FileMask: '*.log'
+        Comment: "Contains Application Log entries such as service start and incomming connections, and deployed scripts/jobs."
+
+
+# Documentation
+# https://dfirtnt.wordpress.com/2023/08/23/rmm-action1-client-side-evidence/
+# https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/
diff --git a/Level.tkape b/Level.tkape
@@ -0,0 +1,16 @@
+Description: Level.io Application Logs
+Author: Andrew Skatoff @DFIR_TNT
+Version: 1.0
+Id: 5e2c322f-616c-42e4-9cd7-4546cf2412e6
+RecreateDirectories: true
+Targets:
+    -
+        Name: Action1 RMM Client Application logs
+        Category: ApplicationLogs
+        Path: C:\Program Files\Level
+        FileMask: '*.log'
+        Comment: "Contains Application Log entries such as service start and incomming connections."
+
+
+# Documentation
+# https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/