Matthew Green
Matthew Green
We would like to run some enumeration capabilities with protected process with current plugins/functions. For example: tokens(), threads() and CTI ETW provider. @bmcder02
Review implementation for https://www.zerofox.com/blog/the-registry-hives-you-may-be-msix-ing-registry-redirection-with-ms-msix/
An interesting phenomenon was pointed out to me today around: Universal Windows Platform (UWP) whcih appear as 0 bytes files via the windows API and in the relevant mft entry....
We reguarly collect and process the RDP cache to investigate user activity. A native parsing solution would speed up this process with output of image files/collation file for review. https://github.com/ANSSI-FR/bmc-tools...
Looks like we will need to do some refactor to support offline path reconstruction by mocking MFT + USN path. https://github.com/Velocidex/velociraptor/blob/62e5c7cdc5cfa69663ca51322bbffefb21809fb8/vql/parsers/usn/usn.go#L59 This might not be trivial so creating an issue...
We currently have a few artifacts to collect network traffic from the endpoint, but these are usually running another tool and a bit clunky. This feature request is for a...
Common usecase for me is yara targeting logs. I usually would leverage read_lines but for some cases we may observe a really large line and yara is the best capability...
This is an great project. I was wondering if you would also consider adding disk indicators in the future? Here is an example of an MFT search Im using currently...
Just started checking out this project and its awesome - thank you! Im going to test a bunch of UEFI visibility and this is nicely organised. One request I think...
The base artifacts for Windows.Detection.Webhistory have been depreciated. Need to refactor this for SQLitehunter or hardcode the old artifacts into this. (likley eisiest solution to hardcode but will scope)