InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Collection - Targets
  • Parsing - Compound module
  1. DFIR
  2. Tools

KAPE

PreviousVelociraptorNextDissect

Last updated 2 years ago

is configurable triage and parsing tools, that rely on target or module to, respectively, collect or parse, using independent utilities, artefacts.

A comprehensive documentation can be found at: .

Collection - Targets

The following commands can be used to collect artefacts from the current system's specified drive.

The RecycleBin artefact can be removed to better control the resulting collection file.

# Semi-light collection (the deleted files from the RecycleBin can however greatly increase the collection size).
.\kape.exe --tsource C: --tdest <DEST_FOLDER | DEST_FOLDER_%d> --tflush --target KapeTriage,Antivirus,$MFTMirr,RemoteAdmin,CloudStorage_Metadata, CombinedLogs,WebBrowsers,InternetExplorer,WebServers,Exchange,WSL,LinuxOnWindowsProfileFiles,RecycleBin,USBDetective,PowerShellConsole,MSSQLErrorLog,BITS,CertUtil,MicrosoftOneNote,MicrosoftStickyNotes,Notepad++,RDPCache,ScheduledTasks,StartupFolders,WinDefendDetectionHist,WindowsDefender,WindowsFirewall --vss

# More comprehensive collection with PST / OST files and memory dumps notably. (the deleted files from the RecycleBin can however greatly increase the collection size).
.\kape.exe --tsource C: --tdest C:\Temp\SURION-WIN10_KAPE%d --tflush --target KapeTriage,Antivirus,MiniTimelineCollection,$MFTMirr,RemoteAdmin,WebBrowsers,WebServers,WSL,LinuxOnWindowsProfileFiles,RecycleBin,USBDetective,PowerShellConsole,MSSQLErrorLog,BITS,CertUtil,MicrosoftOneNote,MicrosoftStickyNotes,Notepad++,RDPCache,ScheduledTasks,StartupFolders,WindowsFirewall,FileExplorerReplacements,OutlookPSTOST,GroupPolicy,LiveUserFiles,MemoryFiles,MOF --vss

Parsing - Compound module

The following module can be used to parse a number of artefacts on a collected data. The required tools are specified directly in the module and must be setup.

Description: Compound module.
Category: Modules
Author: Qazeer (Thomas DIOT)
Version: 1.0
Id: f1ada04f-d562-4340-8f68-e258d2820946
BinaryUrl:
ExportFormat: csv
Processors:
    # Requires LogParser.exe binary (https://www.microsoft.com/en-us/download/confirmation.aspx?id=24659) to be in "KAPE\Modules\bin\LogParser.exe"
    # -- LogParser_ApacheAccessLogs.mkape
    # -- LogParser_DetailedNetworkShareAccess.mkape
    # -- LogParser_LogonLogoffEvents.mkape
    # -- LogParser_RDPUsageEvents.mkape
    # -- LogParser_SMBServerAnonymousLogons.mkape
    -
        Executable: LogParser.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires Eric Zimmerman tools to be in "KAPE\Modules\bin\*.exe"
    # -- AmcacheParser.mkape, AppCompatCacheParser.mkape
    # -- EvtxECmd.mkape
    # -- JLECmd.mkape
    # -- LECmd.mkape
    # -- MFTECmd.mkape
    # -- PECmd.mkape
    # -- RBCmd.mkape, RecentFileCacheParser.mkape, RECmd_Kroll.mkape
    # -- SBECmd.mkape, SQLECmd.mkape, SrumECmd.mkape, SumECmd.mkape
    # -- WxTCmd.mkape
    -
        Executable: "!EZParser.mkape"
        CommandLine: ""
        ExportFormat: ""
    # Requires SRUM-Repair.ps1 to be in (https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SRUM-Repair.ps1).
    -
        Executable: PowerShell_SrumECmd_SRUM-RepairAndParse.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires SUM-Repair.ps1 to be in (https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/SRUM-Repair.ps1).
    -
        Executable: PowerShell_SumECmd_SUM-RepairAndParse.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires CCM_RUA_Finder (https://github.com/esecrpm/WMI_Forensics/raw/master/CCM_RUA_Finder.exe) to be in "KAPE\Modules\bin\CCM_RUA_Finder.exe".
    -
        Executable: CCMRUAFinder_RecentlyUsedApps.mkape
        CommandLine: ""
        ExportFormat: ""
    -
        Executable: EvtxECmd_RDP.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires Chainsaw.exe (https://github.com/WithSecureLabs/chainsaw/releases/download/v2.0.0/chainsaw_x86_64-pc-windows-msvc.zip) to be in "KAPE\Modules\bin\chainsaw\Chainsaw.exe."
    # Also requires Windows sigma rules (https://github.com/SigmaHQ/sigma) to be in "KAPE\Modules\bin\chainsaw\sigma".
    -
        Executable: Chainsaw.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires hayabusa.exe (https://github.com/Yamato-Security/hayabusa/releases/) to be in "KAPE\Modules\bin\hayabusa.exe".
    -
        Executable: hayabusa_OfflineEventLogs.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires Snap2HTML (https://www.rlvision.com/script/download.php?ref=rlv.com&file=Snap2HTML.zip) to be in "KAPE\Modules\bin\Snap2HTML\Snap2HTML.exe".
    -
        Executable: Snap2HTML.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires RECmd.exe binary
    # -- RECmd_AllRegExecutablesFoundOrRun.mkape
    # -- RECmd_BasicSystemInfo.mkape
    # -- RECmd_BCDBootVolume.mkape
    # -- RECmd_InstalledSoftware.mkape
    # -- RECmd_Kroll.mkape
    # -- RECmd_RECmd_Batch_MC.mkape
    # -- RECmd_RegistryASEPs.mkape
    # -- RECmd_SoftwareASEPs.mkape
    # -- RECmd_SoftwareClassesASEPs.mkape
    # -- RECmd_SoftwareWoW6432ASEPs.mkape
    # -- RECmd_SystemASEPs.mkape
    # -- RECmd_UserActivity.mkape
    # -- RECmd_UserClassesASEPs.mkape
    -
        Executable: RECmd_AllBatchFiles.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires Nirsoft's BrowsingHistoryView (https://www.nirsoft.net/utils/browsinghistoryview-x64.zip) to be in "KAPE\Modules\bin\browsinghistoryview.exe".
    -
        Executable: NirSoft_BrowsingHistoryView.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires Hindsight (https://github.com/obsidianforensics/hindsight/releases) to be in "KAPE\Modules\bin\hindsight.exe".
    -
        Executable: ObsidianForensics_Hindsight.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires woanware's wmi-parser (https://github.com/woanware/wmi-parser/releases/download/v0.0.2/wmi-parser.v0.0.2.zip) to be in "KAPE\Modules\bin\wmi-parser\wmi-parser.exe
    # TODO: Fix error "Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly".
    #-
    #    Executable: WMI-Parser.mkape
    #    CommandLine: ""
    #    ExportFormat: ""
    # Requires OneDriveExplorer (https://github.com/Beercow/OneDriveExplorer/releases/) to be in "KAPE\Modules\bin\OneDriveExplorer.exe".
    -
        Executable: OneDriveExplorer.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires DetectionHistory Parser (https://github.com/jklepsercyber/defender-detectionhistory-parser/raw/main/dhparser.exe) to be in "KAPE\Modules\bin\dhparser.exe".
    -
        Executable: DHParser.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires SEPparser (https://github.com/Beercow/SEPparser/raw/master/bin/SEPparser.exe) to be in "KAPE\Modules\bin\SEPparser.exe".
    -
        Executable: SEPparser.mkape
        CommandLine: ""
        ExportFormat: ""
    # Requires bmc-tools.exe (compiled version of bmc-tools.py, from https://github.com/dingtoffee/bmc-tools/raw/master/dist/bmc-tools.exe) to be in "KAPE\Modules\bin\bmc-tools.exe".
    # TODO: Fix non finishing execution.
    #-
    #    Executable: BMC-Tools_RDPBitmapCacheParser.mkape
    #    CommandLine: ""
    #    ExportFormat: ""
    # Requires Thor Lite (https://www.nextron-systems.com/thor-lite/, newsletter subscription required) to be in "KAPE\Modules\bin\thor-lite".
    # Refer to the Thor-Lite_Scan.mkape module documentation (in file-comments) for more information on the setup.
KAPE
ericzimmerman.github.io