-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathInvoke-Kape.ps1
113 lines (93 loc) · 5.68 KB
/
Invoke-Kape.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<#
.SYNOPSIS
Executes Kape and Kape modules on a remote device and archives output.
.DESCRIPTION
Collects forensic information from a remote machine, processes modules for additional info. Forensic data is archived to the SOC share.
.PARAMETER ComputerName
The device to investigate.
.PARAMETER Collect
Data to collect. All, Basic, Basic+.
.PARAMATER Save
Optional. Location to save forensic data.
.EXAMPLE
Invoke-Kape.ps1 -ComputerName Win10Desktop -Collect Basic
.EXAMPLE
Invoke-Kape.ps1 -ComputerName Win10Desktop -Collect Basic -Save C:\users\soc\desktop\evidence\
.AUTHOR
Keyboardcrunch
Created: 8/2/2019
#>
param (
[string]$ComputerName = $(throw "-ComputerName is required."),
[string]$Save = "\\SecurityOperations\EVIDENCE",
[string]$KapePackage = "\\SecurityOperations\Incident Response\Packages\kapecollector.zip",
[ValidateSet('All','Basic','Basic+')]
[string]$Collect = $(throw "-collect is required.")
)
$ErrorActionPreference = "Continue"
$Banner = "
_____ _
\_ \_ ____ _____ | | _____ /\ /\__ _ _ __ ___
/ /\/ '_ \ \ / / _ \| |/ / _ \_____ / //_/ _` | '_ \ / _ \
/\/ /_ | | | \ V / (_) | < __/_____/ __ \ (_| | |_) | __/
\____/ |_| |_|\_/ \___/|_|\_\___| \/ \/\__,_| .__/ \___|
|_| "
Write-Host $Banner -ForegroundColor Cyan
If (Test-Connection -ComputerName $ComputerName -Count 2 -ErrorAction SilentlyContinue) {
Write-Host "`t[ INFO ][ Deploying collector..." -ForegroundColor Yellow
Copy-Item $KapePackage -Destination "\\$ComputerName\C$\Windows\Temp\kapecollector.zip" -Force
# Staging
Write-Host "`t[ INFO ][ Extracting collector..." -ForegroundColor Yellow
$session = New-PSSession -ComputerName $ComputerName
Invoke-Command -Session $session -ScriptBlock {
# Ensure kape folders don't exist
Remove-Item -Path "C:\Windows\Temp\kape\" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\Temp\kapecollector\" -Recurse -Force -ErrorAction SilentlyContinue
# Extract package
Expand-Archive -Path "C:\Windows\Temp\kapecollector.zip" -DestinationPath "C:\Windows\Temp\" -Force
Remove-Item -Path "C:\Windows\Temp\kapecollector.zip" -Force -ErrorAction SilentlyContinue
}
# Execution
Write-Host "`t[ INFO ][ Executing..." -ForegroundColor Yellow
Switch ($Collect) {
"All" {
Invoke-Command -Session $session -ScriptBlock {
Set-Location "C:\Windows\Temp\kapecollector\"
$CollectCommand = "--tsource C: --tdest C:\windows\temp\kape\collected --tflush --target !ALL --mdest C:\windows\temp\kape\processed\ --mflush --module AmcacheParser,ARPCache,autoruns,Detailed-Network-Share-Access,DNSCache,EvtxECmd,Get-NetworkConnection,IPConfig,NBTStat_NetBIOS_Cache,NBTStat_NetBIOS_Sessions,NetStat,NetworkDetails,PWSH-Get-ProcessList,RDP-Usage-events,RoutingTable,WindowsEventLogs,WxTCmd,PECmd --mef csv"
Start-Process -FilePath "C:\Windows\Temp\kapecollector\kape.exe" -ArgumentList $CollectCommand -Wait
}
}
"Basic" {
Invoke-Command -Session $session -ScriptBlock {
Set-Location "C:\Windows\Temp\kapecollector\"
$CollectCommand = "--tsource C: --tdest C:\windows\temp\kape\collected --tflush --target !BasicCollection --mdest C:\windows\temp\kape\processed\ --mflush --module AmcacheParser,ARPCache,autoruns,Detailed-Network-Share-Access,DNSCache,EvtxECmd,Get-NetworkConnection,IPConfig,NBTStat_NetBIOS_Cache,NBTStat_NetBIOS_Sessions,NetStat,NetworkDetails,PWSH-Get-ProcessList,RDP-Usage-events,RoutingTable,WindowsEventLogs,WxTCmd,PECmd --mef csv"
Start-Process -FilePath "C:\Windows\Temp\kapecollector\kape.exe" -ArgumentList $CollectCommand -Wait
}
}
"Basic+" {
Invoke-Command -Session $session -ScriptBlock {
Set-Location "C:\Windows\Temp\kapecollector\"
$CollectCommand = "--tsource C: --tdest C:\windows\temp\kape\collected --tflush --target Amcache,Chrome,CiscoJabber,CombinedLogs,Edge,EvidenceOfExecution,Firefox,InternetExplorer,McAfee_ePO,MOF,ScheduledTasks,StartupInfo,USBDevicesLogs,WBEM,WebBrowsers,WER,WindowsFirewall --mdest C:\windows\temp\kape\processed\ --mflush --module AmcacheParser,ARPCache,autoruns,Detailed-Network-Share-Access,DNSCache,EvtxECmd,Get-NetworkConnection,IPConfig,NBTStat_NetBIOS_Cache,NBTStat_NetBIOS_Sessions,NetStat,NetworkDetails,PWSH-Get-ProcessList,RDP-Usage-events,RoutingTable,WindowsEventLogs,WxTCmd,PECmd --mef csv"
Start-Process -FilePath "C:\Windows\Temp\kapecollector\kape.exe" -ArgumentList $CollectCommand -Wait
}
}
}
# Wrap-up
Write-Host "`t[ INFO ][ Compressing evidence..." -ForegroundColor Yellow
Invoke-Command -Session $session -ScriptBlock {
# Archive collected data
$ArchiveName = "$(hostname)-kape.zip"
Compress-Archive -Path "C:\Windows\Temp\kape\" -DestinationPath "C:\Windows\Temp\$ArchiveName" -CompressionLevel Optimal
# Cleanup
Remove-Item -Path "C:\Windows\Temp\kapecollector\" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\Temp\kape\" -Recurse -Force -ErrorAction SilentlyContinue
}
# Collect archive file
Write-Host "`t[ INFO ][ Archiving evidence..." -ForegroundColor Yellow
Move-Item -Path "\\$ComputerName\C$\Windows\Temp\$ComputerName-kape.zip" -Destination $Save
# Session cleanup
Remove-PSSession -Session $session
Write-Host "`t[ INFO ][ Done!" -ForegroundColor Green
} Else {
Write-Host "$ComputerName is offline!" -ForegroundColor Red
}