Awesome
KapeStrike
KapeStrike is a collection of powershell scripts designed to streamline the collection of Kape triage packages via Crowdstrike's RTR function and can handle single or multiple hosts as well as queue collections for offline hosts by utilizing the amazing module PsFalcon in addition too parsing the data with multiple tools, massive shout out to Erik Zimmerman, including supertimeline creation with plaso
Consists of 3 scripts:
- Invoke-Falcon.ps1 which uses PsFalcon to start an RTR session and kick off a kape triage collection
- Invoke-Falcon-Remote.ps1 is intended to be ran during the RTR session and will unzip kape, kick off a collection, upload it to an SFTP server as VHDX, then remove the files from the host.
- Parse-Artifacts.ps1 takes the mounted VHDX drive letter and runs through various tools to parse the data including super timeline creation with plaso.
Prerequisite
- An RTR API key with rights to run scripts in RTR
- PsFalcon installed on the examiner's machine
- Files and scriptes staged in Crowdstrike
- On the host which will parse the evidence:
- WSL2 with Log2Timeline and sluethkit installed
- A tools folder with the required tools on the host parsing the evidence
- EZ tools can be installed from Erik Zimmerman's github: https://ericzimmerman.github.io/#!index.md
- A storage solution to write the captures (e.g. sftp server)
Set Up
Crowdstrike
- Upload the Invoke-Kape-Remote.ps1 file to "Custom Scripts" and change the connection details to match your environment
- Upload a zipped copy of KAPE.exe, and a standalone 7za.exe to "PUT" Files. I remove the bin folder to cutdown on file size since we do the parsing off system
Collection
- Install PsFalcon on the system which will be kicking off collections:
- Import the Invoke-Kape.ps1 function to the same system
Evidence Parsing
- On the system that will be used to parse the evidence import the Parse-Evidence.ps1 function and change the $toolsDrivePath variable on line 26 to your tools folder
2. It expects the tools folder to be laid out in a rather flat way, with only applications with dependant files in their own folder
Usage
Invoke-Falcon.ps1
You can supply single or multi hosts with slight behavioral changes depending, but functionality is the same.
To kick off a collection run the Invoke-Kape function and supply the target hostname(s) and the RTR API key details
For multiple hosts there is an optional -OutPath flag which will create a CSV containing hostnames and offline/online status
Parse-Evidence.ps1
After downloading the collection mount the vhdx and take note of the drive letter
Run the Parse-Artifacts function and supply the mounted drive letter, the output path for the parsed files, and optionally a date time filter for the super timeline in YYYY-MM-DD format
When it's finished running your output folder will have evidence parsed and labeled
Current Supported Evidence and Tools:
- $MFT Filesystem
- MFTeCMD.exe
- Windows Event Logs
- Chainsaw.exe
- EvtxECmd.exe
- Amcache
- AmcacheParser.exe
- ShimCache
- AppCompatCacheParser.exe
- Prefetch
- PECmd.exe
- Registry Evidence of Execution
- RegistryExplorer.exe
- Timeline
- Filesystem Timeline
- Supertimeline
TO DO
Add flexability to Parse-Evidence to select which artifacts or all
Add better searching for tools for more flexible file structures
Add SRUM and Win10 timeline to parse-evidence