Running Kape modules on a live system #613
-
|
Hi I usually run KAPE targets on a remote computer via CrowdStrike RTR for offline forensics however I wanted to know if anyone just runs KAPE modules on a live remote system then collects the output for analysis if the physical files are not needed. TIA! |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
|
Sure why not? Easy way to automate threat hunting. |
Beta Was this translation helpful? Give feedback.
-
|
In terms of forensics, would it be better to run KAPE the way I've been doing it which is to collect the artifacts, zip then send to Azure for offline analysis? |
Beta Was this translation helpful? Give feedback.
-
|
That all depends on whether or not you have a need to look at the source artifacts at some point in the future. From my perspective, data storage is cheap enough that collecting the source artifacts allows you to easily reproduce things because you've preserved the source of where your data came from. When you only run modules you lose that ability. So in the end there is a trade-off and/or balance that you need to establish between what your goals are |
Beta Was this translation helpful? Give feedback.
-
|
That is my thought also. I guess I was just worried about response time and when to run targets or modules on a remote system. I also wanted to hear from other people on how they are using the output logs that KAPE creates. I just started using the json output so I can upload it into Splunk and query on it but I'm still learning Splunk and how it ingest the json data from KAPE. Maybe using CSV in Splunk is easier? What are there other tools people are using to analyze KAPE output other than TimeLine Explorer which is great. I've also started looking into SOF-ELK to use for the KAPE output. |
Beta Was this translation helpful? Give feedback.
-
|
Just my thoughts, I'd much rather pull back actual files and process on the back end so you're not using client's resources to do the processing. Plus, what if you need to dive into the source files yourself, like Eric mentioned? I'd much rather have that actual Registry hive rather than the batch file output, which filters out 99% of the stuff in the Registry (because 99% of that is useless). There is a good chance there is 1 or more relevant things that the batch files aren't capturing, given the nature of how quickly things move in this space. Source files >>> in pretty much every scenario, IMO. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your input :) |
Beta Was this translation helpful? Give feedback.
That all depends on whether or not you have a need to look at the source artifacts at some point in the future. From my perspective, data storage is cheap enough that collecting the source artifacts allows you to easily reproduce things because you've preserved the source of where your data came from. When you only run modules you lose that ability.
So in the end there is a trade-off and/or balance that you need to establish between what your goals are