# KAPE Evidence of Execution Target
# Collects Windows execution artifacts
[target]
name = "KAPE_EvidenceOfExecution"
description = "Windows evidence of execution artifacts (Prefetch, ShimCache, BAM/DAM, etc.)"
category = "windows"
priority = "high"
# Execution artifact modules
modules = [
"windows/execution"
]
# Include registry for AppCompatCache
modules_optional = [
"windows/registry"
]
# Additional execution patterns
[[patterns]]
name = "Executable File"
pattern = "\\.(?:exe|dll|sys|scr|com)$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Script File"
pattern = "\\.(?:bat|cmd|ps1|vbs|js|wsf)$"
case-insensitive = true
type = "regex"
[[signatures]]
name = "Execution Artifacts Summary"
query = "SELECT pattern_name, COUNT(*) as count FROM pattern_matches WHERE pattern_name LIKE '%Prefetch%' OR pattern_name LIKE '%ShimCache%' OR pattern_name LIKE '%BAM%' OR pattern_name LIKE '%UserAssist%' OR pattern_name LIKE '%JumpList%' GROUP BY pattern_name ORDER BY count DESC"