Example: kape-target

Inputs
Profile
Report outputs
- Triage report (converted from triage_report.json)
- CSV outputs

Inputs

examples/inputs/kape-target-samples/browser_artifacts.txt

Profile

# KAPE Target Example
# This example demonstrates using KAPE-style forensic collection profiles
# Uses includes to combine multiple base profiles similar to KAPE targets

# Include base profiles to provide comprehensive forensic coverage
# These profiles include patterns for malware, credentials, and network artifacts
includes = [
  "../../profiles/base/malware.toml",
  "../../profiles/base/credentials.toml",
  "../../profiles/base/network.toml",
  "../../profiles/base/forensics.toml"
]

decode = ["base64"]

tag = "kape-target"

# Additional browser artifact patterns to complement the base profiles
[[patterns]]
  name = "Browser History URL"
  pattern = "https?://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "Cookie Data"
  pattern = "cookie|session_id|auth_token"
  type = "regex"
  case-insensitive = true

# Windows execution artifacts
[[patterns]]
  name = "Prefetch Reference"
  pattern = "\\.pf$"
  type = "regex"

[[patterns]]
  name = "LNK File"
  pattern = "\\.lnk$"
  type = "regex"

# Registry artifact patterns  
[[patterns]]
  name = "Registry Hive"
  pattern = "NTUSER\\.DAT|SAM|SECURITY|SOFTWARE|SYSTEM"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Run Key"
  pattern = "CurrentVersion\\\\Run"
  type = "regex"
  case-insensitive = true

# Signatures for triage
[[signatures]]
  name = "High Value Artifacts"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Registry Hive', 'Prefetch Reference', 'LNK File', 'Browser History URL')"

[[signatures]]
  name = "Multiple Indicators"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as indicator_count FROM pattern_matches GROUP BY sha256 HAVING indicator_count > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	0
low_count	1
minimal_count	0
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.191952511+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/browser_artifacts.txt	20	26	16	["26 suspicious patterns detected"]	Low	36	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/browser_artifacts.txt	browser_artifacts.txt	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T09:19:17.543962359Z	["text/plain"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Suspicious Registry Autorun	regex	HKCU\Software\Microsoft\Windows\CurrentVersion\Run	21:0	50
2	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://example.com/login	5:5	25
3	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://mail.google.com/	6:5	24
4	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://github.com/user/repo	7:5	28
5	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	http://suspicious-site.example.com/download	8:5	43
6	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Sam	1:2	3
7	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Software	21:5	8
8	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	NTUSER.DAT	22:0	10
9	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	SAM	23:0	3
10	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History	regex	history	1:17	7
11	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History	regex	History	4:11	7
12	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://example.com	5:5	19
13	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://mail.google.com	6:5	23
14	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://github.com	7:5	18
15	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	http://suspicious-site.example.com	8:5	34
16	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	Cookie	10:3	6
17	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	cookie	11:0	6
18	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	session_id	11:8	10
19	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	cookie	12:0	6
20	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	auth_token	12:8	10
21	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	Cookie	13:4	6
22	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Sam	1:2	3
23	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Software	21:5	8
24	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	NTUSER.DAT	22:0	10
25	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	SAM	23:0	3
26	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Run Key	regex	CurrentVersion\Run	21:32	18

signature_matches.csv

id	signature_name	sha256
1	Potential Data Exfiltration	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
2	Browser Forensic Artifacts	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
3	High Value Artifacts	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
4	Multiple Indicators	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	ea5a887633c8bd219c8a6246d47e60595eb51eb0	8319f272c8364b72070c0e7f2aef66de	665	text/plain	5.25520055683943

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation