KAPE version
1.3.0.2
Describe the bug
Running KAPE with target only in MDE Live Response fails during module validation before collection starts.
Observed error:
Apps/GitHub TruffleHog_Secrets.mkape had validation errors
"Export Format" must not be empty
"Correct the errors and try again. Exiting"
Command line used:
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\Kape\kape.exe --tsource C:\ --tdest "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\Output\KapeTarget" --tflush --target $MFT --vss --vhdx TESTLAB-srv75_20260310T065737Z --ifw --asu "REDACTED" --asc "InvokedByLiveResponseAPI"
Notes:
The module has top-level ExportFormat: json, but the processor entry does not include ExportFormat. It appears validation expects processor-level Export Format as well.
To Reproduce
- Download latest KAPE and run sync to get latest modules.
- Run KAPE with a target-only command (no module explicitly selected), for example:
--tsource C:\ --tdest <output> --tflush --target $MFT --vss --vhdx <name> --ifw --asu <sas> --asc InvokedByLiveResponseAPI
KAPE starts, validates modules, then exits with:
TruffleHog_Secrets.mkape validation error: "Export Format" must not be empty.
Expected behavior
KAPE should complete target collection successfully.
A module that is not explicitly invoked should not cause hard failure, or the module should pass validation if its schema is valid.
In this case, expected result is no validation failure from TruffleHog_Secrets.mkape.
Additional context
Likely introduced in recent KapeFiles change associated with TruffleHog module update.
Suspect the issue also might appear after changes in SSHCommandHunt module, but I have not tested this.
KAPE version
1.3.0.2
Describe the bug
Running KAPE with target only in MDE Live Response fails during module validation before collection starts.
Observed error:
Apps/GitHub TruffleHog_Secrets.mkape had validation errors
"Export Format" must not be empty
"Correct the errors and try again. Exiting"
Command line used:
Notes:
The module has top-level ExportFormat: json, but the processor entry does not include ExportFormat. It appears validation expects processor-level Export Format as well.
To Reproduce
--tsource C:\ --tdest <output> --tflush --target $MFT --vss --vhdx <name> --ifw --asu <sas> --asc InvokedByLiveResponseAPIKAPE starts, validates modules, then exits with:
TruffleHog_Secrets.mkape validation error: "Export Format" must not be empty.
Expected behavior
KAPE should complete target collection successfully.
A module that is not explicitly invoked should not cause hard failure, or the module should pass validation if its schema is valid.
In this case, expected result is no validation failure from TruffleHog_Secrets.mkape.
Additional context
Likely introduced in recent KapeFiles change associated with TruffleHog module update.
Suspect the issue also might appear after changes in SSHCommandHunt module, but I have not tested this.