velociraptor
velociraptor copied to clipboard
Velocidex
Feature request: Additional parsers
Can you provide references for those? how useful are they? should they be prioritized?
.JOB files - https://github.com/gleeda/misc-scripts/blob/master/misc_python/jobparser.py
Lowish priority but have seen it used.for persistence instead of the standard XML tasks. Unsure whether they're picked up by autoruns.
WBEM repo - I'm still learning about what this holds but theres both persistence which should be covered already and CCM RUA. The later requires shelling out to an external tool. If this artifact exists in an env it's a great program exec artifact
https://github.com/davidpany/WMI_Forensics/blob/master/CCM_RUA_Finder.py
Looks like the wmi one is only available on sccm enterprise machines and the job file is an old format. Can you provide sample files? We can easily write a parser for both but need to have something to test on.
@mpilking - can I share some of the data from the current/old 508 dataset. CCM RUA is on of those artefacts that when available has been invaluable on servers, but it doesnt show up often .JOB files - I don't see them almost ever, but I believe they were a good way of persisting under the radar where people dont look
If you want to get some parsers added, it would be really helpful to also include some sample data. We use that to add tests for the parsers and also see what kind of data is available.
Yes, you can use what you need. I don't think you'll find anything for the CCM artifact though (we didn't have SCCM running).
