ProgramExecution

CompoundCompoundv1

Author: Max Zabuty

description

Program Execution Triage Collection

includes (11)

Amcache 4 paths →

AppCompatPCA 1 paths →

Prefetch 2 paths →

RecentFileCache 2 paths →

Syscache 2 paths →

PowerShellTranscripts 6 paths →

PowerShellConsole

WBEM 2 paths →

WER 5 paths →

WindowsTimeline 1 paths →

JumpLists 2 paths →

NETCLRUsageLogs 2 paths →

paths

29 pathsfrom 11 targets

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Collection Script
# Target: ProgramExecution (Compound Target)
# Use KAPE for compound target collection:
# kape.exe --tsource C: --tdest D:\Evidence --target ProgramExecution

Write-Host "For compound targets, use KAPE directly for best results." -ForegroundColor Yellow

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 12 other targets. KAPE will automatically collect all referenced artifacts.

› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

Collecting different artifacts related to program execution on the host