Phill Moore

> Do we know if the new UAL format has been updated in SOF-ELK? this is an example of the new CSV "RecordType","CreationDate","UserIds","Operations","AuditData","ResultIndex","Re sultCount","Identity","IsValid","ObjectState" I just processed logs exported from...

https://invictus-ir.medium.com/automated-forensic-analysis-of-google-workspace-859ed50c5c92

Also relevant research for hunting for phishing emails Suggest creating seperate pages within the repo and linking so things dont get too big

https://github.com/LetsDefend/Phishing-Email-Analysis

@AndrewRathbun randomly checked this pull request and @EricZimmerman has mentioned he'll write a parser ;)

@Karneades suggest testing this https://github.com/strozfriedberg/sidr and then writing a module for that. Ill test it out next week during class, and make a module if you dont

I haven't done any more on this. Was just testing actions and documenting what I saw

https://www.youtube.com/watch?v=HzuVhbpO_go

You open the automaticdestination file as an OLE Container, find the Destlist, parse each record in the destlist, and lookup the requisite LNK file in the OLE container. So you...

Workaround for now would be: Collect all CHM files and then use HH.exe to decompile them and scan offline