-
if you run it like this, then the extended disk appears, but if you run a full-fledged script through powershell, nothing happens
good > C:\MemProcFS-Analyzer-v1.0\Tools\MemProcFS>MemProcFS.exe -de…
-
I'm trying to download the binary to run in my lab. I don't understand the reason, but very stupidly every time I unzip the ZIP my Windows automatically deletes the zircolite .EXE (I have disabled Def…
-
Trying to get across the need for Windows event logging and Sigma rules with our new SIEM. I need to add all the Windows rules to a "use cases" spreadsheet. Ideally, something like this -
sigma …
-
When running Zircolite on a Linux Triage Package it does not parse audit logs with a number at the end. An example of one that does work is audit.log. One that does not work is audit.log.1 however whe…
-
Hey, There Is no possibility to fowards the event using --remote to a splunk specific index. Is there any way to do that with the --remote option ?
Thanks in advance
-
Not sure if here is a more proper fix. I was looking at the 3cx sigma rules
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_malware_3cx_compromise_susp_dll.yml
…
-
Hi,
I'm trying to produce a use case of processing key assets for an IR in Zircolite and uploading to TS for timeline analysis, I've tried using the template with outputting to CSV and unable to ha…
-
I am importing a JSON file from Splunk and trying to analyze it. My detected_events.json shows empty. Do i need the EVTX or is it because of the splunk?
-
i've got a huge amount of event lots to process with Zircolite and put into elasticsearch. its an amazing tool, but the elasticsearch connector/exporter seems to lock up on me more often than not.
…
-
Hi, i have an error with the script during the drive creation.
Content of the log file:
```txt
**********************
Windows PowerShell transcript start
Start time: 20221204065248
Username: C…