Merge pull request #967 from MaxZabuty/More-Creation-and-Modification…

…-Max

Created some new things

Modules/Apps/SysInternals/SysInternals_Autoruns.mkape

@@ -1,14 +1,14 @@
 Description: Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
-Category: LiveResponse
+Category: Persistence
 Author: Andy Furnas, Encoding updates by piesecurity, Andreas Hunkeler (@Karneades)
-Version: 1.4
+Version: 1.5
 Id: c95e71bd-7abb-48c3-abae-f48b9ff19dec
 BinaryUrl: https://download.sysinternals.com/files/Autoruns.zip
 ExportFormat: csv
 Processors:
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Path '%destinationDirectory%\autoruns.csv'"
+        CommandLine: -Command "& '%kapedirectory%\Modules\bin\autorunsc.exe' -a * -s -c -accepteula -nobanner -h * | Set-Content -Encoding UTF8 -Path '%destinationDirectory%\Autoruns.csv'"
         ExportFormat: csv
 
 # Documentation

Modules/Compound/NetworkActivity.mkape

@@ -0,0 +1,66 @@
+Description: Parsing all information for Network Activity Category
+Category: Network Activity
+Author: Max Zabuty
+Version: 1
+Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de
+ExportFormat: json
+Processors:
+    -
+        Executable: PowerShell_SMBMapping.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_SMBOpenFile.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_SMBSession.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetNeighbor.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_TCPConnections.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetworkAdapters.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetworkIPAddresses.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetworkIPConfiguration.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_DnsClientCache.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: Windows_nbtstat_NetBIOSCache.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: Windows_nbtstat_NetBIOSSessions.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: Powershell_Wireless_Network_Connections.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NamedPipes.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetRoute.mkape
+        CommandLine: ""
+        ExportFormat: ""
+
+# Documentation:
+# N/A

Modules/Compound/Persistence.mkape

@@ -0,0 +1,26 @@
+Description: Parsing all Persistence category
+Category: Persistence
+Author: Max Zabuty
+Version: 1
+Id: 8da4a739-5367-47ca-ab84-12f4a0f8e0de
+ExportFormat: json
+Processors:
+    -
+        Executable: Windows_schtasks.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: SysInternals_Autoruns.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_WMIProviders.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_AccessibilityFeatures.mkape
+        CommandLine: ""
+        ExportFormat: ""
+
+# Documentation:
+# N/A

Modules/Compound/PowerShell_LiveResponse_SystemInfo.mkape

@@ -37,3 +37,6 @@ Processors:
         Executable: PowerShell_Services_List.mkape
         CommandLine: ""
         ExportFormat: ""
+
+# Documentation:
+# N/A

Modules/Compound/SystemInformation.mkape

@@ -0,0 +1,54 @@
+Description: Parsing all information for System Information Category
+Category: System Information
+Author: Max Zabuty
+Version: 1
+Id: 223ac60b-b5be-4f79-8e16-4f16b1597f3c
+ExportFormat: json
+Processors:
+    -
+        Executable: PowerShell_SystemInformation.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_Processes.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_ProcessesIncludingServices.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_Drivers.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_NetworkShares.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_ActiveDrives.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_LocalUsers.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_LocalGroups.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: Windows_klist.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: Windows_nltest.mkape
+        CommandLine: ""
+        ExportFormat: ""
+    -
+        Executable: PowerShell_Defender_Exclusions.mkape
+        CommandLine: ""
+        ExportFormat: ""
+
+# Documentation:
+# N/A

Modules/Windows/PowerShell_AccessibilityFeatures.mkape

@@ -0,0 +1,20 @@
+Description: Checks for Debugger registry value and file integrity of specific Windows features
+Category: Persistence
+Author: Max Zabuty
+Version: 1.0
+Id: e3444190-b58e-4fe7-8048-e0bb1f40b3c7
+ExportFormat: csv
+Processors:
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults | Export-Csv -NoTypeInformation -Encoding UTF8 -Path \"%destinationDirectory%\AccessibilityFeaturesCheck.csv\" "
+        ExportFormat: csv
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "$features = @(\"sethc.exe\", \"utilman.exe\", \"AtBroker.exe\", \"Narrator.exe\", \"Magnify.exe\", \"DisplaySwitch.exe\", \"osk.exe\"); $results = @(); foreach ($feature in $features) { $regPath = \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$feature\"; $result = @{FeatureName = $feature; Debugger = $null; IsValid = $null}; if (Test-Path -Path \"$regPath\Debugger\") { $result.Debugger = Get-ItemPropertyValue -Path $regPath -Name Debugger } else { $result.Debugger = \"No Debugger\" }; $filePath = \"C:\Windows\System32\$feature\"; $sfcOutput = sfc /VERIFYFILE=$filePath; $sfcOutput = $sfcOutput[5].Split(\"`0\") -join \"\"; if ($sfcOutput -like \"Windows Resource Protection did not find any integrity violations.\") { $result.IsValid = \"Valid\" } elseif ($sfcOutput -match \"Windows Resource Protection could not perform the requested operation\") { $result.IsValid = \"Error: Could not perform operation\" } else { $result.IsValid = \"File not found or invalid\" }; $results += $result }; $customResults = $results | ForEach-Object {[PSCustomObject]@{FeatureName = $_.FeatureName; Debugger = $_.Debugger; IsValid = $_.IsValid}}; $customResults  | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\AccessibilityFeaturesCheck.json' "
+        ExportFormat: json
+
+# Documentation
+# https://support.microsoft.com/en-us/windows/discover-windows-accessibility-features-8b1068e6-d3b8-4ba8-b027-133dd8911df9

Modules/Windows/PowerShell_DnsClientCache.mkape

@@ -1,5 +1,5 @@
 Description: Displaying DNS Client Cache
-Category: LiveResponse
+Category: Network Activity
 Author: Max Zabuty
 Version: 1.0
 Id: 0bec8e98-4111-4d91-a774-0b8d50eaf430

Modules/Windows/PowerShell_NamedPipes.mkape

@@ -1,15 +1,18 @@
 Description: Named Pipes List
-Category: LiveResponse
-Author: nov3mb3r
+Category: Network Activity
+Author: Max Zabuty
 Version: 1.0
 Id: f1f5f93d-d03b-45f4-bf72-7b8f9dc7ac23
-ExportFormat: txt
+ExportFormat: csv
 Processors:
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' |  Sort Length | Format-Table FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime"
-        ExportFormat: txt
-        ExportFile: pipes.txt
+        CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' |  Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Named Pipes.csv'"
+        ExportFormat: csv
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: -Command "Get-ChildItem -Path '\\.\pipe\' |  Sort Length | Select FullName, Length, IsReadOnly, Exists, CreationTime, LastAccessTime | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Named Pipes.json'"
+        ExportFormat: json
 
 # Documentation
 # https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes

Modules/Windows/PowerShell_NetNeighbor.mkape

@@ -1,13 +1,13 @@
 Description: Displaying ARP Table using PowerShell
-Category: LiveResponse
+Category: Network Activity
 Author: Max Zabuty
 Version: 1.0
 Id: f25cbff9-fb0c-406b-ba70-c61709c102ae
 ExportFormat: csv
 Processors:
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv'"
+        CommandLine: -Command "Get-NetNeighbor | ?{$_.AddressFamily -eq 'IPv4'} | Select InterfaceAlias,IPAddress,LinkLayerAddress,State | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\ARP Table.csv' "
         ExportFormat: csv
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Modules/Windows/PowerShell_NetRoute.mkape

@@ -0,0 +1,20 @@
+Description: Collecting Network Routing Table Information
+Category: Network Activity
+Author: Max Zabuty
+Version: 1.0
+Id: f1eaaf30-3b13-4c0e-836c-071f7a668948
+ExportFormat: csv
+Processors:
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network Routing Table.csv'"
+        ExportFormat: csv
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "Get-NetRoute | Select-Object DestinationPrefix, NextHop, InterfaceAlias, RouteMetric, Protocol, InterfaceIndex, AddressFamily | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network Routing Table.json'"
+        ExportFormat: json
+
+# Documentation
+# https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute?view=windowsserver2022-ps

Modules/Windows/PowerShell_NetworkAdapters.mkape

@@ -1,5 +1,5 @@
 Description: Collecting Network Adapters Information
-Category: LiveResponse
+Category: Network Activity
 Author: Max Zabuty
 Version: 1.0
 Id: 15ab571c-1fde-433e-a9b7-9132542ff07f

Modules/Windows/PowerShell_NetworkIPAddresses.mkape

@@ -1,5 +1,5 @@
 Description: Collecting Network IP Address Information
-Category: LiveResponse
+Category: Network Activity
 Author: Max Zabuty
 Version: 1.0
 Id: 85d5e5cb-630c-4e70-9153-738e30c9d973

Modules/Windows/PowerShell_NetworkIPConfiguration.mkape

@@ -1,17 +1,19 @@
 Description: Collecting Network IP Configuration and Parsing Specific Fields
-Category: LiveResponse
+Category: Network Activity
 Author: Max Zabuty
 Version: 1.0
 Id: 76a02001-2a44-4e19-a3f7-14d2352f678d
 ExportFormat: csv
 Processors:
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'"
+        CommandLine: >
+            -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\Network IP Configuration.csv'"
         ExportFormat: csv
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "Get-NetIPConfiguration | Select InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name="NetProfile";expression={$_.NetProfile.Name}},@{name="IPv4Address";expression={$_.IPv4Address -join ","}},@{name="IPv4DefaultGateway";expression={$_.IPv4DefaultGateway -join ","}},@{name="DNSServer";expression={$_.DNSServer -join ","}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'"
+        CommandLine: >
+            -Command "Get-NetIPConfiguration | Select-Object InterfaceAlias,InterfaceIndex,InterfaceDescription,@{name='NetProfile';expression={$_.NetProfile.Name}},@{name='IPv4Address';expression={$_.IPv4Address -join ','}},@{name='IPv4DefaultGateway';expression={$_.IPv4DefaultGateway -join ','}},@{name='DNSServer';expression={$_.DNSServer -join ','}} | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\Network IP Configuration.json'"
         ExportFormat: json
 
 # Documentation

Modules/Windows/PowerShell_RecycleBinParsing.mkape

@@ -0,0 +1,22 @@
+Description: Parses the Recycle Bin, gathering details about deleted files and exports the results in CSV and JSON formats. (Time in UTC)
+Category: FileDeletion
+Author: Max Zabuty
+Version: 1.0
+Id: 3d845a61-5f0e-4d4f-bf57-b0e77b6b5db1
+ExportFormat: csv
+Processors:
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | Export-Csv -Encoding UTF8 -NoTypeInformation -Path '%destinationDirectory%\RecycleBin.csv'"
+        ExportFormat: csv
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: >
+            -Command "$shell = New-Object -ComObject Shell.Application; $recycleBin = $Shell.Namespace(0xA); $recycled = @(); $recycleBin.Items() | % { $originalPath = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 2'); $originalPath = (Join-Path -Path $originalPath -ChildPath $_.Name); $recycledPath = $_.Path; if (Test-Path $recycledPath -PathType Container) { $fileType = 'Directory' } else { $fileType = 'File' }; $sha1 = (Get-FileHash -Algorithm SHA1 -Path $recycledPath -ErrorAction SilentlyContinue).Hash; $removalDate = $_.ExtendedProperty('{9B174B33-40FF-11D2-A27E-00C04FC30871} 3'); $recycleSid = $recycledPath.Split('\\')[2]; $objSID = New-Object System.Security.Principal.SecurityIdentifier($recycleSid); $userName = $objSID.Translate([System.Security.Principal.NTAccount]).Value; $properties = [ordered]@{ 'Removal Date' = $removalDate; 'Username' = $userName; 'Recycle Bin Path' = $recycledPath; 'Original Path' = $originalPath; 'File Name' = $_.Name; 'File Type' = $fileType; 'SHA1' = $sha1 }; $recycled += New-Object psobject -Property $properties }; [System.Runtime.InteropServices.Marshal]::ReleaseComObject($shell) | Out-Null; [System.GC]::Collect(); [System.GC]::WaitForPendingFinalizers(); $shell = $null; $recycled | ConvertTo-Json | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\RecycleBin.json'"
+        ExportFormat: json
+
+# Documentation
+# https://forensafe.com/blogs/recycleBin.html
+# https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal
+# https://www.devhut.net/vba-shell-application-deep-dive/

Modules/Windows/PowerShell_SMBMapping.mkape

@@ -1,14 +1,18 @@
 Description: Retrieves the Server Message Block (SMB) client directory mappings. It replaces the command net use.
-Category: LiveResponse
-Author: Vito Alfano
+Category: Network Activity
+Author: Vito Alfano, Max Zabuty
 Version: 1.0
 Id: 36092684-5d40-4159-baed-822b7eaaf0a0
 ExportFormat: csv
 Processors:
     -
         Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-        CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status  | Export-Csv -Path %destinationDirectory%\Net_Use.csv -NoTypeInformation "
+        CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.csv' "
         ExportFormat: csv
+    -
+        Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+        CommandLine: -Command "Get-SMBMapping | Select LocalPath, RemotePath, Status, RequireIntegrity, RequirePrivacy, UseWriteThrough | Export-Csv -NoTypeInformation -Encoding UTF8 -Path '%destinationDirectory%\SMB Mapping.json' "
+        ExportFormat: json
 
 # Documentation
 # https://learn.microsoft.com/en-us/powershell/module/smbshare/get-smbmapping?view=windowsserver2022-ps