From b124213fe94dffb8c2862de2d5941cbbe23d02d2 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Wed, 23 Oct 2024 17:33:41 -0700 Subject: [PATCH 1/3] CertUtil artifacts analyzer. --- Modules/Apps/GitHub/CertUtil_Parser.mkape | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Modules/Apps/GitHub/CertUtil_Parser.mkape diff --git a/Modules/Apps/GitHub/CertUtil_Parser.mkape b/Modules/Apps/GitHub/CertUtil_Parser.mkape new file mode 100644 index 000000000..b2291f62b --- /dev/null +++ b/Modules/Apps/GitHub/CertUtil_Parser.mkape @@ -0,0 +1,18 @@ +Description: A Module to parse Certutil activity +Category: Windows +Author: DReneau +Version: 1.0 +Id: 7d18d1ad-13b5-435c-a5f1-063093e39646 +BinaryUrl: https://github.com/AbdulRhmanAlfaifi/CryptnetURLCacheParser/releases/tag/1.1/CryptnetUrlCacheParser.exe +ExportFormat: csv +Processors: + - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "& \"%kapeDirectory%\\Modules\\bin\\CryptnetUrlCacheParser.exe\" -o \"%destinationDirectory%\\Certutil_Parsed.csv\"" + ExportFormat: csv + +# Documentation +# https://u0041.co/posts/articals/certutil-artifacts-analysis/ +# https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +# https://thinkdfir.com/2020/07/30/certutil-download-artefacts/ +# Certutil is a Windows utility used by threat actors to download arbitrary files/tools using Land Binary (LOLBin) techniques. +# Certutil can also be used to base64 encode/decode and calculate file hashes. From c6625f5610a812fd07fbc2aa08e53d72d1f9bb1c Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Wed, 23 Oct 2024 17:35:32 -0700 Subject: [PATCH 2/3] Windows 11 Notepad TabState parser. --- Modules/Apps/GitHub/Notepad_Parser.mkape | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Modules/Apps/GitHub/Notepad_Parser.mkape diff --git a/Modules/Apps/GitHub/Notepad_Parser.mkape b/Modules/Apps/GitHub/Notepad_Parser.mkape new file mode 100644 index 000000000..2252f0053 --- /dev/null +++ b/Modules/Apps/GitHub/Notepad_Parser.mkape @@ -0,0 +1,18 @@ +Description: A Module to parse (Windows 11+) Notepad TabState files. +Category: Windows +Author: DReneau +Version: 1.0 +Id: b5a8a229-4897-4bda-a8f0-f2246362664f +BinaryUrl: https://github.com/AbdulRhmanAlfaifi/notepad_parser/releases/download/v0.1.0/notepad_parser.exe +ExportFormat: json +Processors: + - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + CommandLine: "Get-ChildItem -Recurse '%sourceDirectory%' -Filter '*.bin' | Where-Object { $_.FullName -like '*Microsoft.WindowsNotepad_8wekyb3d8bbwe\\LocalState\\TabState*' } | ForEach-Object { $outputFile = Join-Path '%destinationDirectory%' ([System.IO.Path]::GetFileNameWithoutExtension($_.FullName) + '.json'); $tempFile = Join-Path '%destinationDirectory%' ([System.IO.Path]::GetFileNameWithoutExtension($_.FullName) + '_temp.json'); & '%kapeDirectory%\\Modules\\bin\\notepad_parser.exe' \"$($_.FullName)\" -f jsonl -o $tempFile; if (Test-Path $outputFile) { Remove-Item $outputFile }; Rename-Item $tempFile $outputFile }" + ExportFormat: json + +# Documentation +# https://u0041.co/posts/articals/exploring-windows-artifacts-notepad-files/ +# Windows 11 Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. +# This parser written by AbdulRhman Alfaifi will parse the Windows 11 Notepad cache, specifically the TabState. +# The Notepad artifacts are stored here: "%LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad _8wekyb3d8bbwe\LocalState" + From 54f5c105304146bc2370634b7de6b445434c1122 Mon Sep 17 00:00:00 2001 From: DReneau <53024966+DReneau@users.noreply.github.com> Date: Wed, 23 Oct 2024 18:22:06 -0700 Subject: [PATCH 3/3] Update CertUtil_Parser.mkape Removed use of PowerShell to call .exe. --- Modules/Apps/GitHub/CertUtil_Parser.mkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Apps/GitHub/CertUtil_Parser.mkape b/Modules/Apps/GitHub/CertUtil_Parser.mkape index b2291f62b..ec2414593 100644 --- a/Modules/Apps/GitHub/CertUtil_Parser.mkape +++ b/Modules/Apps/GitHub/CertUtil_Parser.mkape @@ -6,8 +6,8 @@ Id: 7d18d1ad-13b5-435c-a5f1-063093e39646 BinaryUrl: https://github.com/AbdulRhmanAlfaifi/CryptnetURLCacheParser/releases/tag/1.1/CryptnetUrlCacheParser.exe ExportFormat: csv Processors: - - Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - CommandLine: "& \"%kapeDirectory%\\Modules\\bin\\CryptnetUrlCacheParser.exe\" -o \"%destinationDirectory%\\Certutil_Parsed.csv\"" + - Executable: CryptnetUrlCacheParser.exe + CommandLine: "-o \"%destinationDirectory%\\Certutil_Parsed.csv\"" ExportFormat: csv # Documentation