Acquire EXE with KAPE? #758
Closed
conexioninversa
started this conversation in
Ideas
Replies: 1 comment
-
|
it would end up being a 2 step process, ie pull registry keys, then get auto runs, etc. then make a new kape target to get them all. this is really a different problem, and more of a secondary stage in an incident imo. you could certainly write a target that pulls all exes and dlls from various TEMP related places tho. that is not hard |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all,
I have read the following article:
https://www.cybertriage.com/blog/analyzing-kape-dfir-artifacts-in-cyber-triage/
It seems that "the main difference" is that cyber triage acquires executables and DLLs for its score based on whether it is malware.
The comment is, would it be advisable or possible to make a target in KAPE that could obtain the run/runonce key files and executables from the TEMP and %APPDATA% folders? Subsequently, it would be very easy to create and analyze those folders with the acquired executables with a module and even offer a better result than cyber triage.
I also think that it may not be the goal of KAPE given its nature of acquiring forensic artifacts. What do you think?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions