Passing module variables via Invoke-Kape?

[secure-cake]

Loving Invoke-Kape but struggling to figure out if/how I can pass module variables, specifically to EvtxECmd "inc" and "sd," like I can use them with EvtxECmd.exe or KAPE by defining/calling variables.

Basically recreating something like this example via Invoke-Kape -Module EvtxECmd -mvars ???:

.\EvtxECmd.exe -d d:\evtx_source --csv d:\evtx_output --sd 2023-08-01 --inc 4624,4625

Thank you!

[Karneades]

Hi @secure-cake,

you can already use -mvars with Invoke-Kape but unfortunately it was only visible in the code but not in the readme. Fixed that. It's the same behavior as in KAPE itself, see doc on how to use it. Just pass the same to Invoke-Kape.

If more questions come up, don't hesitate to ask.

[secure-cake]

Thank you very much, @Karneades! I created an "EvtxECmd-Triage" module with command line including "--sd %startdate% --inc %includedevents%" and then invoked, as below. WORKED SWIMMINGLY!!!

$startdate = '2023-08-01'
$includedevents = '1102,4104,4720,4625,400,600'
Invoke-Kape -msource D:\cases\test_case\STA1\uploads\auto\C%3A -mdest d:\cases\test_case\sta1_output1\sta1-evtx -Module EvtxECmd-Triage -mvars startdate:$startdate^includedevents:$includedevents