search

Velocidex / registry_hunter

Hunt the windows Registry automatically using VQL
MIT License
3 stars 1 forks source link

Categories parameter issue #9

Open DavidSanchezGracia opened 2 weeks ago

DavidSanchezGracia commented 2 weeks ago

Hi everyone,

First of all, thank you a lot for developing such an awesome artifact, I am really excited to test this on real cases.

While I was testing this artifact I tried executing it with different Categories and realized that the artifact didn't really took them into account. For example, I would remove all Categories but "User Activity" and receive results for all the available Categories instead of just for the one I was looking for.

I repeated the test several times by just including "Executables", "AntiVirus" or "EventLogs" and in all of them Windows.Registry.Hunter just gathered all the Categories available by Default.

Thank you for your help

scudette commented 2 weeks ago

Yes you are right. The idea of splitting it into categories came from the recmd batch files that I used to bootstrap this project but In reality it seems rather redundant because it's already fast enough to collect everything. I just didn't find the need to restrict collection by category.

Of course the categories are useful later for post processing and filtering.

What advantage do you see in filtering collection by category?

DavidSanchezGracia commented 2 weeks ago

Hi again,

I have a series of hunts designed to collect different information from Windows endpoints and I put a lot of focus in keeping them as fast as possible while also obtaining as much relevant info (according to my opinion) as possible. The lightweight hunt just takes 5 minutes to run, and this new artifact looks promising but I would like to make sure that the minute it takes to run its worth it

So what I am doing at the moment is identifying which of the data collected on each category of this artifact could actually substitute other artifacts, for example comparing the performance and output of just executing this artifact with the Category "Services" and Windows.System.Services. If Windows.System.Services is faster or provides more info it is not really worth it to acquire that info using the Registry Hunter so I would prefer in those situations to be able to just remove it from the Categories selection.

Anyway, I consider that if there is an option to edit the categories in the Parameter edition, it should have an impact on the artifact execution. If you consider that it is not useful I advise to remove that section from the Parameters.

Have a nice day