Matthew Green
Matthew Green
+1 for authenticode information.
nice one @coloradosarge! For anyone copy and pasting: you will need to add "" around the author field and fix the file_last_modified field timestamp typo when adding this artifact.
Sorry I missed this. I havent tested mounting and running the artifacts on a VR Kapefiles collection but knowing the locations they should mostly work. I will see if I...
We could probably also make the powershell for CheckOneByteChanges native VQL and do the comparisons in memory to not write .mem and .disk as a tempfiles. Maybe thats a v2...
@scudette maybe we should add in the device path conversion exports into the VAD artifact (or another main project artifact) so we can import them easily?
https://sigmahq.io/docs/meta/correlations.html Reading the sigma spec - there doesnt look like too many options for stateful process detections that we can do in vql wrt heirarchy
Looks like a shell version thing? I vaguely remember some similar issue on LNK files
we might also want to test these too: https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/LNK
I would lean towards having multiple filter options. So we can have a blacklist of artifacts, and allow folks to add their own to the blacklist on collection. But also...