theflakes

Right now we'll search a given sub key and all keys underneath it will be recursed by default. Add a command line option to only search to a depth of...

Update hunts' regex error output to specify which regex failed to compile.

This would be especially useful for registry keys whose ACLs have been maliciously modified to prevent access. See: https://github.com/trailofbits/windows-acl Code example: https://github.com/trailofbits/windows-acl/blob/master/example/query_acl.rs

Though the winreg crate supports the REG_LINK type, I cannot find a way to actually identify this type.

This may require using COM, at least it did with PowerShell. Field names: timestamp device_domain device_name default_hash task_path name status enabled account_domain account_name next_run last_run last_result description run_as_domain run_as_account logon_mode...

Find and add the device's primary IP to every json log generated. Primary IP is the IP of the adapter used as the default gateway. field name to use: src_ip

Run hunts against file content of files that are appropriate for that file type.

Collect infö on default Windows group memberships. Fields: timestamp device_domain device_name default_hash group_name group_type description members sid Collect local user info: timestamp device_domain device_name default_hash account_name event_id full_name sid description...

Add following fields to file json logs to hold file ownership information. account_domain account_name

Not sure how to do this in a performant manner. But, would be nice to have the FN timestamps along with the SI timestamps. Then a simple hunt could be...