theflakes

For any file examined, look for alternate data streams and also pull the first X bytes of the stream. Running hunts on the first X bytes would help determine if...

Examine and report on WMI filters, consumers, and bindings. Fields: timestamp device_domain device_name wmi_filter wmi_consumer wmi_binding

Pull info and hunt Bitsadmin persistence. Fields: timestamp device_domain device_name default_hash job_id display_name transfer_type account_domain account_name priority files_transferred files_total bytes_transferred bytes_total creation_time modified_time minimum_retry_delay no_progress_timeout proxy_usage proxy_list proxy_bypass_list transient_error_count detail

More interesting directories: Drive roots Temp directories Root of every user's profile Public profile Each users MyDocuments and Downloads Programdata Appdata Windows root directory ...

Fields (not all fields will apply to all browsers' extensions): timestamp device_domain device_name default_hash extension_id name description key version permissions default_locale update_url homepage_url options_page web_accessible_resources content_security_policy web_url path dev_tools_page offline_enabled...

There are three issues open with the winreg crate that would help this tool do more. 1. Identify registry keys of type REG_LINK 2. Read registry key ACLs (resolve any...

Need to figure out a way to keep the TCP conn open for the entire run of the tool when network output is specified. Wasteful having all the TCP conn...

Figure out how to properly specify command line switch requirements so that "--all" has to be specified along with a specific and/or custom hunt; etc.

Having trouble understanding how to get and print entries in a Registry path ACL. Hoping you could provide an example? Thanks for any help and time. I get the below...