Matthew Green

Sys Vs System is another bug bear of mine. I like something simple like: OS.Type.SubDescriptor but we dont need to be limited to 3 descriptions either.

Just a note to also add partition images or an offset in case our mmls equivalent does not work.

We already have VT hash lookup on the server side with Server.Enrichment.Virustotal. Similarly (although not endorsed workflow) is [Server.Enrichment.Virustotal.FileScan](https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.virustotal.filescan).

This is what Server.Enrichment.Virustotal is for. Collect Autoruns > reduce/dedup > enrich with VT lookups.

Need to refactor the appcompat artifact. Currently use Velociraptor regparser which is incomplete. Probably best to refactor and implement a binary_parse for this feature. https://github.com/mandiant/ShimCacheParser/blob/master/ShimCacheParser.py

Added better formatting output - https://github.com/Velocidex/velociraptor/pull/1892

Yes - the idea is to remove the need to run 3rd party scripts/tools for injection detection/leads. Another capability to replicate would be hollows_hunter.

definition and example: https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html

A few more links: https://docs.fileformat.com/web/chm/ https://pkg.go.dev/github.com/microsoft/go-winio/wim/lzx https://learn.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/to-decompile-a-compiled-help-file-from-the-command-line

Instead of individual artifacts, we should look at making a generic one and have these inside. Maybe do a csv list that includes type then have a specific vql workflow...