Merge pull request #907 from AndrewRathbun/master

Update and rename AssetAdvisorLog.tkape to SCCMClientLogs.tkape
EricZimmerman · Mar 14, 2024 · 596bea4 · 596bea4
2 parents f031c38 + 51ffdbe
commit 596bea4
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 23 deletions.
diff --git a/Modules/CompoundModuleGuide.guide b/Modules/CompoundModuleGuide.guide
@@ -2,8 +2,7 @@ Description: Name of application/artifact here # Required, this should be higher
 Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
 Author: FirstName LastName # Make sure you get credit for your work
 Version: 1.0 # Required, iterate as necessary
-Id: 62308e3b-5e67-4612-b472-24e0c85fccfe # Required, unique GUID is required for every KAPE Target/Module
-BinaryUrl: https://url.goes.here.com # Required
+Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guidBinaryUrl: https://url.goes.here.com # Required
 ExportFormat: csv # Required
 FileMask: FileName.exe # For a Compound Module, this shouldn't matter as each individual Module will have its own filemask that the Module will be looking for when executing commands listed within the Module
 Processors:

diff --git a/Modules/CompoundModuleTemplate.template b/Modules/CompoundModuleTemplate.template
@@ -2,7 +2,7 @@ Description: Name of application/artifact here
 Category: Misc
 Author: FirstName LastName
 Version: 1.0
-Id: b61ccd7a-3f8a-4347-b5ac-21486aaa76c4
+Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbea # Change this, and delete this comment before merging, please
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv
 FileMask: FileName.exe

diff --git a/Modules/ModuleGuide.guide b/Modules/ModuleGuide.guide
@@ -2,7 +2,7 @@ Description: Name of application/artifact here # Required
 Category: Misc # Required, this value will be the name of the folder where the parsed Module output is stored
 Author: FirstName LastName # Make sure you get credit for your work
 Version: 1.0 # Required, iterate as necessary
-Id: 0256a455-1248-4e30-8175-727679189ddd # Required, unique GUID is required for every KAPE Target/Module
+Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here. Or, run kape.exe --guid
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv # Required, this is the default ExportFormat in the instance the user chooses a format that is not listed below, or simply chooses Default within gkape
 WaitTimeout: 0 # Optional, this specifies the number of minutes KAPE should wait for a Module to finish

diff --git a/Modules/ModuleTemplate.template b/Modules/ModuleTemplate.template
@@ -2,7 +2,7 @@ Description: Name of application/artifact here
 Category: Misc
 Author: FirstName LastName
 Version: 1.0
-Id: a2231a4c-3bdf-4254-a2ab-06021789d1b0
+Id: eb5a737f-cfa1-483b-a452-3bd1efc4dbef # Change this, and delete this comment before merging, please
 BinaryUrl: https://url.goes.here.com
 ExportFormat: csv
 FileMask: FileName.exe

diff --git a/Targets/CompoundTargetGuide.guide b/Targets/CompoundTargetGuide.guide
@@ -2,7 +2,7 @@
 Description: Name of application/artifact here # Required, this will be visible within gKape on the Target side under the Description colum., 
 Author: Your name here # Required
 Version: 1.0 # Required, increment as revisions are made.
-Id: Unique GUID here # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here.
+Id: a0bd74ff-4848-4663-8093-865394b0da97 # Required, generate within gKape by double clicking on a Target or Module, then click Generate GUID button at bottom of popup window, paste GUID here.
 RecreateDirectories: true # Required, true means the folder structure of the artifacts will be created within the user-specified Target Destination directory. If an artifact is buried 10 folders deep on the suspect's system, it will be buried 10 folders deep within the Target Destination folder.
 Targets:
     -

diff --git a/Targets/CompoundTargetTemplate.template b/Targets/CompoundTargetTemplate.template
@@ -1,7 +1,7 @@
 Description: Name of application/artifact here # Required
 Author: Your name here # Required
 Version: 1.0 # Required
-Id: Unique GUID here # Required
+Id: 89a28b16-15b1-476a-bd17-e3ba2602d5e0 # Required
 RecreateDirectories: true # Required
 Targets:
     -

diff --git a/Targets/Windows/AssetAdvisorLog.tkape b/Targets/Windows/AssetAdvisorLog.tkape
diff --git a/Targets/Windows/SCCMClientLogs.tkape b/Targets/Windows/SCCMClientLogs.tkape
@@ -0,0 +1,18 @@
+Description: SCCM Client Log Files
+Author: Andrew Rathbun
+Version: 1.0
+Id: 700413f8-703b-44fb-9192-8830ac84b6b0
+RecreateDirectories: true
+Targets:
+    -
+        Name: SCCM Client Log Files
+        Category: Logs
+        Path: C:\Windows\CCM\Logs
+
+# Documentation
+# https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/about-log-files#locating-log-files
+# Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948
+#
+# I have seen reference to malicious binaries associated with a user in a log found in this folder
+# Sample log entry:
+# <![LOG[Add RecentlyUsedApp: <evil.exe DOMAIN\username>]LOG]!><time="12:22:13.679+300" date="02-27-2022" component="AssetAdvisor" context="" type="1" thread="5564" file="aa_recentlyusedapps.cpp:235">