KapeFiles icon indicating copy to clipboard operation
KapeFiles copied to clipboard
verified publisher icon EricZimmerman

Modules Suggestion

Open MaxZabuty opened this issue 1 year ago • 1 comments

KAPE version 1.3.0.2

Is your feature request related to a problem? Please describe. I've created some modules and updated some other existing ones which I would like to propose in a hope to contribute to this great project. I developed a collection tool during my time in military service, where we could not use any external tools and I found that some stuff I created have been added a year ago so I've missed my opportunity with them, however there could be some other contributions.

Describe the solution you'd like I've attached a ZIP containing my modules. Some of them although already exist, I believe that my method could be more comprehensive or perhaps reliable.

For example, my "PowerShell_Processes" module was created differently, then I found that this kind of module exists and named "PowerShell_ProcessList_WMI" but misses things such as parsing the creation date, encoding and added parenthesis for folder paths to allow it to run on paths that have SPACE in it. Also changed the hash to SHA1 to make it a bit more efficient and quick.

That's just one example but some other modules also contain relevant modifications or implementations. Generally I also suggest to add encoding when exporting to CSV \ JSON and use parenthesis for paths.

There is another module I wanted to create for something I've been doing myself in my collector but I could not implement it in KAPE, I want to execute the following command with PowerShell to parse USN Journal efficiently: fsutil usn readJournal C: csv | Select-Object -Skip 7 | Out-File -Encoding UTF8 -FilePath '%destinationDirectory%\USN Journal.csv' I wonder if you can try to give it a go and make it work.

Additional context Windows Modules.zip

Have an awesome day, Max.

MaxZabuty avatar Aug 29 '24 15:08 MaxZabuty

i would suggest you do a PR for your new/changed things for us to review. thats how its usually done.

why not just use the existing module for $J processing using MFTECmd?

Message ID: @.***>

EricZimmerman avatar Aug 29 '24 15:08 EricZimmerman

@EricZimmerman Will do the PR thing. Regarding the Journal, the MFTECmd is great, the method I suggested could be a good local bin alternative and it is also specific for that very purpose so it could be useful. Just a suggestion :)

MaxZabuty avatar Sep 01 '24 08:09 MaxZabuty