velociraptor
velociraptor copied to clipboard
Velocidex
Digging Deeper....
Review implementation for https://www.zerofox.com/blog/the-registry-hives-you-may-be-msix-ing-registry-redirection-with-ms-msix/
Very low prio request but would be cool to be able to flag CHM files that contain executable file formats Example of malicious use case: https://www.docguard.io/microsoft-compiled-html-help-chm-using-in-spearphishing-attack/ More research required to...
Hi, During the forensics process, a host/hypervisor Velociraptor does not do forensics for the docker image filesystem. for example: * acquire bash history from the docker image. * reveal crontab...
```sql LET X = 1 LET F(Y) = if(condition=TRUE, then={ SELECT Y + 2 FROM scope()}) SELECT F(Y=X) FROM scope() ``` Results in an error because it is unable to...
Quarantine of a Windows clients fail if the client disabled local rule merging of firewall rules. According to Microsoft, "Administrators may disable LocalPolicyMerge in high-security environments to maintain tighter control...
As shown in https://github.com/Velocidex/velociraptor/issues/2542#issuecomment-1661984038. It would be nice to have the option when creating a Velociraptor collection to delete the ZIP file after the collection is finished, whether it is...
Would be great to have an OLE plugin to use to parse Jumplists and other OLE containers directly. This is probably already here somewhere because there's the olevba plugin, would...
looking at the Windows.Registry.NTUSER artifact, it would be great to have it updated to do an API read of HKU first, and then only raw read the hives that arent...
Have seen this quite a lot, but have not good a good idea as to why this occurs.  This is a client running 0.6.8-2 (server 0.6.9). It can receive...
it would be great if the default "LIMIT 50" was configurable. At the very least 50 is way too small for a default, 500 or even 5000 would be better....