Matthew Green
Matthew Green
Add collection of interesting files in FileDelete event type to use with a management configuration. I have specifically targetted executables and added example of exclusion. As I noticed a lot...
Ensure we have appropriate output for legacy Shimcache. Looks like we need to add execution flag for older version OSes.
We would like a VQL native EVTX carver. Scan logical disk using yara for file type headers. Extract bytes and use binary parser for parsing out records/part records. Windows.Carving.USN is...
We would like an injection detection capability. Field ideas: 
I want to mature the index hash capability for discovery and hunting. Adds include: - storing a file header (configurable) - storing hashes (configurable) - storing path - path whitelist...
The workflow of passing results from a cell to a new cell in notebook provides great capability for analysis. Currently we can pass table results with: ``` SELECT * FROM...
Im extracting physical memory collected with snappy compression and it looks as though this compression method isnt implemented in the linux binary. Collection: winpmem_v3.3.rc3.exe -dd -o yolo.aff -t -c snappy...
We would like to enable feeding offline Sysmon event logs to the tracker to build process trees / enable filter on specific chains and tracking process attributes. Process tracker was...
Add versioninformation into schema. I added OriginalName, InternalName and FileDescription into VulnerableExecutables and the new ExpectedVersionInformation. The test passed but let me know if you would prefer a different layout....
MacOS has a feature called Endpoint Security (ES) which is similar to ETW and collects telemetry accross a range of providers. https://developer.apple.com/documentation/endpointsecurity You can see some examples of this telemetry...