Open DavidSanchezGracia opened 2 weeks ago
Yes you are right. The idea of splitting it into categories came from the recmd batch files that I used to bootstrap this project but In reality it seems rather redundant because it's already fast enough to collect everything. I just didn't find the need to restrict collection by category.
Of course the categories are useful later for post processing and filtering.
What advantage do you see in filtering collection by category?
Hi again,
I have a series of hunts designed to collect different information from Windows endpoints and I put a lot of focus in keeping them as fast as possible while also obtaining as much relevant info (according to my opinion) as possible. The lightweight hunt just takes 5 minutes to run, and this new artifact looks promising but I would like to make sure that the minute it takes to run its worth it
So what I am doing at the moment is identifying which of the data collected on each category of this artifact could actually substitute other artifacts, for example comparing the performance and output of just executing this artifact with the Category "Services" and Windows.System.Services. If Windows.System.Services is faster or provides more info it is not really worth it to acquire that info using the Registry Hunter so I would prefer in those situations to be able to just remove it from the Categories selection.
Anyway, I consider that if there is an option to edit the categories in the Parameter edition, it should have an impact on the artifact execution. If you consider that it is not useful I advise to remove that section from the Parameters.
Have a nice day
Hi everyone,
First of all, thank you a lot for developing such an awesome artifact, I am really excited to test this on real cases.
While I was testing this artifact I tried executing it with different Categories and realized that the artifact didn't really took them into account. For example, I would remove all Categories but "User Activity" and receive results for all the available Categories instead of just for the one I was looking for.
I repeated the test several times by just including "Executables", "AntiVirus" or "EventLogs" and in all of them Windows.Registry.Hunter just gathered all the Categories available by Default.
Thank you for your help