Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement module variable to support root paths #812

Open
sstraw opened this issue Jun 20, 2023 · 0 comments
Open

Implement module variable to support root paths #812

sstraw opened this issue Jun 20, 2023 · 0 comments
Assignees
@EricZimmerman
Labels
enhancement New feature or request

Comments

@sstraw
Copy link

sstraw commented Jun 20, 2023

KAPE version
1.3.0.2

Is your feature request related to a problem? Please describe.
A number of modules rely on specific folder paths, but because files are copied to separate base directories (C, VSS1, etc), they have no way to actually specify "go parse the file at this path relative to the drive root". A few examples:

  1. NirSoft_BrowsingHistoryView needs the path to the C:\Users folder to exist (%sourceDirectory%\Users)
  2. Winlogbeat_ALL currently uses a FileMask for every single EVTX, but I think would work better if <root>\Windows\System32\winevt\logs\<winlogbeat>.evtx could be specified
  3. SQLite3_TeraCopy_History uses a filemask to parse every single *.db file, which the comments note will be noisy.

Describe the solution you'd like
An additional variable, something like %baseDirectory%, that could be provided to processors.
When the module is called, KAPE would run the processor once for each base directory in msource (C, VSS1, VSS2, etc), with the full path to that "base directory" substituted in for the value.
This would be similar to KAPE running the processor once for each result of a File Mask.

%sourceDirectoryBase% is already defined for modules.

Describe alternatives you've considered
So far I've only come up with 4 solutions, none of which feel "good":

  • Use FileMask with a very wide net, accepting that it will catch lots of things like examples 2 & 3 above. This would cause a lot of calls to the processors for false positives - example 2 probably means 50+ executions of the program for a single file, and 3 would be even worse. This also would generate a lot of extra irrelevant output
  • Have users specify the baseDirectory instead of tdest in msource, as in example 1. This becomes unintuitive - if you check "BrowsingHistory" and "BrowsingHistoryView" as a target&module and hit execute, you don't get browsing history in the module output because the user has to set things up differently
  • Use filemask to find a static file, like $MFT, that can then be used to reference %sourceDirectoryBase%. This achieves the goal, but relies on artifacts being collected that would not make sense to collect for the artifact. Using the previous thought experiment, with "BrowsingHistoryView" you wouldn't get the $MFT necessary as an anchor file.
  • Create a shim script that does this processing for each base directory. This is a workaround I can implement if necessary but it feels goofy/backwards to not just have it handled by KAPE.
@sstraw sstraw added the enhancement New feature or request label Jun 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EricZimmerman EricZimmerman

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EricZimmerman @sstraw