theflakes
theflakes
Thanks for this great crate. Using it in a forensic file tool here: https://github.com/theflakes/fmd I'm trying to figure out how to query the optional_header for this: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR Trying to identify...
Force wrapping of text in scans with very long comma separated lists of IPs
Would like to be able to export findings in different formats. Would also like to select which findings categories to export.
How do I tell if a reg key is a REG_LINK? I apologize if I’m missing something simple. Thanks
Is there a way to read the ACL entries attached to a registry key?
Registry malicious trickery and Reghide.exe: https://www.tripwire.com/state-of-security/mitre-framework/evade-detection-hiding-registry/ Key is created here on x64 Windows: HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\WOW6432Node\Systems Internals\Can’t touch me! I can use error catching with a match statement to find this evil...
MS doc: https://learn.microsoft.com/en-us/windows/win32/menurc/string-str?redirectedfrom=MSDN Yara rule support for field: https://yara.readthedocs.io/en/v3.2.0/modules/pe.html This is a useful field in threat hunting and forensics in general. thanks
See: https://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml detection: selection1: TargetObject|contains: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl filter_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common...
Verify Sigma to Wazuh field name mappings
https://docs.rs/base64/latest/base64/