Awesome

KapeStrike

KapeStrike is a collection of powershell scripts designed to streamline the collection of Kape triage packages via Crowdstrike's RTR function and can handle single or multiple hosts as well as queue collections for offline hosts by utilizing the amazing module PsFalcon in addition too parsing the data with multiple tools, massive shout out to Erik Zimmerman, including supertimeline creation with plaso

Consists of 3 scripts:

• Invoke-Falcon.ps1 which uses PsFalcon to start an RTR session and kick off a kape triage collection
• Invoke-Falcon-Remote.ps1 is intended to be ran during the RTR session and will unzip kape, kick off a collection, upload it to an SFTP server as VHDX, then remove the files from the host.
• Parse-Artifacts.ps1 takes the mounted VHDX drive letter and runs through various tools to parse the data including super timeline creation with plaso.

Prerequisite

• An RTR API key with rights to run scripts in RTR
• PsFalcon installed on the examiner's machine
• Files and scriptes staged in Crowdstrike
• On the host which will parse the evidence:
  • WSL2 with Log2Timeline and sluethkit installed
  • A tools folder with the required tools on the host parsing the evidence
  • EZ tools can be installed from Erik Zimmerman's github: https://ericzimmerman.github.io/#!index.md
• A storage solution to write the captures (e.g. sftp server)
  • https://docs.microsoft.com/en-us/samples/azure-samples/sftp-creation-template/sftp-on-azure/
  • https://docs.aws.amazon.com/transfer/latest/userguide/create-server-sftp.html
  • etc

Set Up

Crowdstrike

1. Upload the Invoke-Kape-Remote.ps1 file to "Custom Scripts" and change the connection details to match your environment

1. Upload a zipped copy of KAPE.exe, and a standalone 7za.exe to "PUT" Files. I remove the bin folder to cutdown on file size since we do the parsing off system

Collection

1. Install PsFalcon on the system which will be kicking off collections:

Install Instructions

1. Import the Invoke-Kape.ps1 function to the same system

Evidence Parsing

1. On the system that will be used to parse the evidence import the Parse-Evidence.ps1 function and change the $toolsDrivePath variable on line 26 to your tools folder

2. It expects the tools folder to be laid out in a rather flat way, with only applications with dependant files in their own folder

Usage

Invoke-Falcon.ps1

You can supply single or multi hosts with slight behavioral changes depending, but functionality is the same.

To kick off a collection run the Invoke-Kape function and supply the target hostname(s) and the RTR API key details

For multiple hosts there is an optional -OutPath flag which will create a CSV containing hostnames and offline/online status

Parse-Evidence.ps1

After downloading the collection mount the vhdx and take note of the drive letter

Run the Parse-Artifacts function and supply the mounted drive letter, the output path for the parsed files, and optionally a date time filter for the super timeline in YYYY-MM-DD format

When it's finished running your output folder will have evidence parsed and labeled

Current Supported Evidence and Tools:

• $MFT Filesystem
  • MFTeCMD.exe
• Windows Event Logs
  • Chainsaw.exe
  • EvtxECmd.exe
• Amcache
  • AmcacheParser.exe
• ShimCache
  • AppCompatCacheParser.exe
• Prefetch
  • PECmd.exe
• Registry Evidence of Execution
  • RegistryExplorer.exe
• Timeline
  • Filesystem Timeline
  • Supertimeline

TO DO

Add flexability to Parse-Evidence to select which artifacts or all

Add better searching for tools for more flexible file structures

Add SRUM and Win10 timeline to parse-evidence