₳Ⱡ₥Ø₲

it would be very useful if avml would support multipart upload using PUT without saving it to local disk first.

added _UNICODE_STRING length checks. ProcessParameters.CommandLine introduced 2 "false positives" on my test: ``` (venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.pebmasquerade | jq 'map(select(.Notes != "OK"))' Volatility 3 Framework 2.26.2...

Removed Notes column & path extracted from cmdline and added 2 boolean columns for the length checks. ``` (venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.malware.pebmasquerade --pid 12372 Volatility 3...

maybe this plugin can be enhanced to list the actual callstack?

``` (venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_dump.raw -r json linux.process_spoofing --pid 4868 Volatility 3 Framework 2.26.2 /home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first...

``` (venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_dump.raw linux.malware.process_spoofing --pid 4868 Volatility 3 Framework 2.26.2 Progress: 100.00 Stacking attempts finished PID PPID Exe_Basename Cmdline_Basename Comm Cmdline_Spoofed Comm_Spoofed Exe_Deleted 4868 4633 copied_bash (deleted)...

@tclahr sounds interesting, however a triage should consist of both artifact yaml files & attack techniques that are described in MITRE for example. so generally such a profile would be...

yes compound artifacts is what I meant, and afterwards you can put a folder dedicated for compound artifacts(e.g `persistence.yaml`), technically it can also replace the profiles capability if you create...

hello @tclahr - bumpy

I understand, but that means you won't have a single `etc.yaml` anymore? or you will and then for a profile such as ir_triage you will have to include the targeted...