Files
Anthropic-Cybersecurity-Skills/skills/triaging-windows-with-kape/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

3.1 KiB

KAPE Command Reference

KAPE has two execution phases: Target (collection) and Module (processing). Switches use -- prefix. kape.exe is the CLI; gkape.exe is the GUI.

Target (collection) switches

Switch Required Description
--tsource yes Source drive/volume to copy from (e.g. C:, D:, F:\)
--target yes Target/compound target name(s), comma-separated (e.g. KapeTriage, !SANS_Triage, RegistryHives,EventLogs)
--tdest yes Destination directory for collected files
--tflush no Delete contents of --tdest before copy
--vss no Process all Volume Shadow Copies on --tsource (default false)
--vhdx <name> no Create a VHDX container from --tdest; value is a base identifier, not a filename
--vhd <name> no Create a VHD container instead of VHDX
--zip <name> no Create a ZIP of the collection
--zv no Add --tdest to container then delete originals (true/false)

Module (processing) switches

Switch Required Description
--module yes Module/compound module name(s) (e.g. !EZParser, PECmd, MFTECmd)
--mdest yes Destination for parsed module output (CSV/JSON/HTML)
--msource no Source data for processing (defaults to --tdest if collecting+processing)
--mflush no Delete contents of --mdest before processing
--mef no Module export format override

Global / utility switches

Switch Description
--sync Update Targets and Modules from the KapeFiles GitHub repo
--tlist List all available Targets
--mlist List all available Modules
--gui Open progress in GUI window when launched from CLI
--debug Verbose debug logging
--trace Even more verbose tracing

Example command lines

REM Triage collection
kape.exe --tsource C: --target KapeTriage --tdest E:\out\tdest --tflush

REM Collection with VSS + VHDX container
kape.exe --tsource C: --target !SANS_Triage --tdest E:\out\tdest --vss --vhdx HOST01 --tflush

REM Process an existing collection with all EZ Tools
kape.exe --msource E:\out\tdest\C --mdest E:\out\mdest --module !EZParser --mflush

REM Collect and parse in one run
kape.exe --tsource C: --target KapeTriage --tdest E:\out\tdest --mdest E:\out\mdest --module !EZParser --tflush --mflush

Batch mode

Place a _kape.cli file beside kape.exe. Each non-comment line is one full argument set; run kape.exe with no args to execute all lines. Variables: %d = KAPE directory, %m = machine name.

--tsource C: --target KapeTriage --tdest %d\Disk\%m --vhdx %m

Config file types

Extension Purpose
.tkape Target definition (what to collect)
.mkape Module definition (how to process)
_kape.cli Batch command file

Output logs (chain of custody)

  • <timestamp>_CopyLog.csv — every file copied with source/dest and SHA-1
  • <timestamp>_ConsoleLog.txt — full console output
  • <timestamp>_SkipLog.csv — files skipped and why