Home

Awesome

KapeStrike

KapeStrike is a collection of powershell scripts designed to streamline the collection of Kape triage packages via Crowdstrike's RTR function and can handle single or multiple hosts as well as queue collections for offline hosts by utilizing the amazing module PsFalcon in addition too parsing the data with multiple tools, massive shout out to Erik Zimmerman, including supertimeline creation with plaso

Consists of 3 scripts:

Prerequisite

Set Up

Crowdstrike

  1. Upload the Invoke-Kape-Remote.ps1 file to "Custom Scripts" and change the connection details to match your environment

image

  1. Upload a zipped copy of KAPE.exe, and a standalone 7za.exe to "PUT" Files. I remove the bin folder to cutdown on file size since we do the parsing off system

image

Collection

  1. Install PsFalcon on the system which will be kicking off collections:

Install Instructions

  1. Import the Invoke-Kape.ps1 function to the same system

Evidence Parsing

  1. On the system that will be used to parse the evidence import the Parse-Evidence.ps1 function and change the $toolsDrivePath variable on line 26 to your tools folder

image 2. It expects the tools folder to be laid out in a rather flat way, with only applications with dependant files in their own folder

image

Usage

Invoke-Falcon.ps1

You can supply single or multi hosts with slight behavioral changes depending, but functionality is the same.

To kick off a collection run the Invoke-Kape function and supply the target hostname(s) and the RTR API key details

image

For multiple hosts there is an optional -OutPath flag which will create a CSV containing hostnames and offline/online status

image

Parse-Evidence.ps1

After downloading the collection mount the vhdx and take note of the drive letter

Run the Parse-Artifacts function and supply the mounted drive letter, the output path for the parsed files, and optionally a date time filter for the super timeline in YYYY-MM-DD format

image

When it's finished running your output folder will have evidence parsed and labeled

image

Current Supported Evidence and Tools:

TO DO

Add flexability to Parse-Evidence to select which artifacts or all

Add better searching for tools for more flexible file structures

Add SRUM and Win10 timeline to parse-evidence