search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.71k stars 245 forks source link

--lateral-all does not return correct output when mode set to JSON #78

Closed grants235 closed 2 years ago

grants235 commented 2 years ago

There is an issue with the --lateral-all flag when used in conjunction with the --json flag. The results do not contain any of the eventId 4624 logon events. When using the hunt functionality, I am able to use the --lateral-all flag and can see a specific event log contains multiple logons at can be seen when the output is left to the default ascii tables. Then using the exact same command but adding the --json flag, the logons events are now not reported.

Please take a look into this. Thanks!

fscc-alexkornitzer commented 2 years ago

Hi @grants235,

This is a know issue with v1 and is not easy to fix due to the reasons listed in #59. For that reason this issue has been addressed in v2 and is currently available as an alpha (#77).