import LnkParse3 from hashlib import sha1 from evtx import PyEvtxParser import json import glob import os # Look at strange LNK files (USB Exfiltration screams at opened file) def parse_link(): base = "Kape_Acquisition/C/Users/intern/AppData/Roaming/Microsoft/Windows/Recent/" for f in glob.glob(base + '*.lnk'): with open(f, 'rb') as fp: lnk = LnkParse3.lnk_file(fp) print(f'=== {os.path.basename(f)} ===') print(lnk.get_json()) # Get login time def get_login_events(): parser = PyEvtxParser("Kape_Acquisition/C/Windows/System32/winevt/logs/Security.evtx") for record in parser.records_json(): data = json.loads(record['data']) event = data.get('Event', {}) eid = event.get('System', {}).get('EventID') if str(eid) == '4624': ed = event.get('EventData', {}) user = ed.get('TargetUserName', '') logon_type = ed.get('LogonType') time = event.get('System', {}).get('TimeCreated', {}).get('#attributes', {}).get('SystemTime') if 'intern' in user.lower(): print(f"Time: {time} | User: {user} | LogonType: {logon_type}") def get_flag(): logon_time = "2026-03-08T11:33" filename = "Budgets_2025.txt" usb_label = "MyUSBKey2" format = f"{filename};{usb_label};{logon_time}".encode() print(f"INS{{{sha1(format).hexdigest()}}}") get_flag()