-
Notifications
You must be signed in to change notification settings - Fork 197
/
Copy path!SANS_Triage.tkape
116 lines (115 loc) · 3.08 KB
/
!SANS_Triage.tkape
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
Description: SANS Triage Collection
Author: Mark Hallman
Version: 1.5
Id: 1bfbd59d-6c58-4eeb-9da7-1d9612b79964
RecreateDirectories: true
Targets:
-
Name: Antivirus
Category: Antivirus
Path: Antivirus.tkape
-
Name: CloudStorage_Metadata
Category: Apps
Path: CloudStorage_Metadata.tkape
-
Name: CombinedLogs
Category: WindowsLogs
Path: CombinedLogs.tkape
-
Name: GroupPolicy
Category: GroupPolicy
Path: GroupPolicy.tkape
-
Name: EvidenceOfExecution
Category: EvidenceOfExecution
Path: EvidenceOfExecution.tkape
-
Name: FileSystem
Category: FileSystem
Path: FileSystem.tkape
-
Name: FTPClients
Category: FTP
Path: FTPClients.tkape
-
Name: LNKFilesAndJumpLists
Category: LNKFiles
Path: LNKFilesAndJumpLists.tkape
-
Name: MessagingClients
Category: MessagingClients
Path: MessagingClients.tkape
-
Name: NetworkScanner
Category: Apps
Path: NetworkScanner.tkape
-
Name: RecycleBin_InfoFiles
Category: RecycleBin_InfoFiles
Path: RecycleBin_InfoFiles.tkape
-
Name: RegistryHives
Category: Registry
Path: RegistryHives.tkape
-
Name: RemoteAccess
Category: ApplicationLogs
Path: RemoteAdmin.tkape
-
Name: ScheduledTasks
Category: ScheduledTasks
Path: ScheduledTasks.tkape
-
Name: SRUM
Category: Execution
Path: SRUM.tkape
-
Name: SUM
Category: Logs
Path: SUM.tkape
-
Name: WER
Category: WER
Path: WER.tkape
-
Name: ThumbCache
Category: FileKnowledge
Path: Thumbcache.tkape
-
Name: WBEM
Category: WBEM
Path: WBEM.tkape
-
Name: BITS
Category: BITS
Path: BITS.tkape
-
Name: WebBrowsers
Category: Communications
Path: WebBrowsers.tkape
-
Name: WindowsIndexSearch
Category: FileKnowledge
Path: WindowsIndexSearch.tkape
-
Name: WindowsTimeline
Category: EvidenceOfExecution
Path: WindowsTimeline.tkape
# Some additional artifacts would be candidates for inclusion in this triage target but because they have the potential to return large amounts of data, they have been omitted.
# Additional targets include (make sure to get spacing correct if un-commenting):
# -
# Name: Recycle Bin Data Files
# Category: FileDeletion
# Path: RecycleBin_DataFiles.tkape
# -
# Name: Outlook PST and OST Files
# Category: Communications
# Path: OutlookPSTOST.tkape
# -
# Name: Cloud Storage User Files
# Category: Apps
# Path: CloudStorage_All.tkape
#
# You can easily determine the number and size of files that will be returned by running the target with the KAPE simulate flag (--sim).
# Example: kape.exe --tsource c: --tdest D:\Temp\ --target CloudStorage_All --sim