Awesome

Kape2ADX

Project Introduction

This is a project for automating your KAPE process. The project performs the following steps:

• Continously monitors Azure Blob container for new KAPE .zips landing
• Automatically pulls them down for processing with Log2Timeline/PSort (Auto checks for .zips already processed)
• Log files of each run is outputted to /opt/
• Uploads the .csv super timeline to Blob container
• You can then import this super timeline to Azure Data Explorer and run the provided KQL queries to expedite your forensics triage

Technologies

Inspiration & Acknowledgement

I'd like to acknowledge and thank the following for contributing either knowledge or inspiring me to create this:

• @Reconinfosec - https://github.com/ReconInfoSec/velociraptor-to-timesketch - This project is very similar, however, doesn't use the tech I'm used to using! Awesome project that inspired this.
• https://www.linkedin.com/in/sebh24/ - Providing advice around packaging up .py scripts for a later version.

Getting Started

1. Setup Virtual Machine

• Virtual Machine to run the project (Ubuntu server 20.04) - I've tested this project on 8 vCPUs and 16GB RAM with 4-6 KAPE collections simultaneously, this takes about 2-2.5hrs to run.
• Azure storage account and container

2. Install prerequisites on VM

• sudo apt-get update<br>
• sudo add-apt-repository ppa:gift/stable<br>
• sudo apt-get update<br>
• sudo apt-get install plaso-tools<br>
• apt install python3 python3-pip unzip inotify-tools -y<br>
• pip install azure-storage-blob<br>
• snap install azcli<br>
• git clone https://github.com/mikecybersec/Kape2ADX
• chmod 777 processor.sh

3. Edit variables in the scripts & Create 'Triage' directory

• You will need to provide 'watchblob.py' script with the following variables: Azure account name, Azure account key, Container name. You can find these by using CTRL + F "HERE" and replacing the placeholders.
• mkdir '/opt/kapetriages/'
• Edit the azdir variable for the install location of azcopy, in the processor.sh script

4. Run the project!

To run the project, run these in the following order:

• ./processor.sh
• sudo python3 watchblob.py

Features to add

• Ability to work with passworded .zip triages.
• Secure variables rather than storing them in code.
• I'm aiming to make the setup steps more slick, perhaps VM templates for Azure with pre-reqs already installed etc? Open to suggestions on how to better package this up :)

Disclaimer

This is a personal project, I recommend you take this project, test it and amend it to suit your requirements. I hold no responsibility for any adverse affects on data or infrastructure as a result of running this project.

Feedback

Always welcome! I'm on X @mikecybersec