Skip to content

Commit

Permalink
Update Advanced.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@wagga40
wagga40 committed Apr 6, 2024
1 parent f010e23 commit aad1e34
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions docs/Advanced.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l

```shell
find <CASE_DIRECTORY> -maxdepth 1 -mindepth 1 -type d | \
parallel --bar python3 zircolite.py --evtx {} \
--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
parallel --bar python3 zircolite.py -e {} \
-r rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
```

One downside of this mode is that if you have less computer evidences than CPU Cores, they all will not be used.
Expand All @@ -37,9 +37,9 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
You can use this mode when you have a lot of aggregated EVTX coming from multiple computers. It is generally the case when you use WEF/WEC and you recover the EVTX files from the collector. This mode will create one result file per EVTX.

```shell
find <CASE_DIRECTORY> -type f -name "*.| \
parallel -j -1 --progress python3 zircolite.py --evtx {} \
--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
find <CASE_DIRECTORY> -type f -name "*.evtx" \
parallel -j -1 --progress python3 zircolite.py -e {} \
-r rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
```

In this example the `-j -1` is for using all cores but one. You can adjust the number of used cores with this arguments.
Expand Down Expand Up @@ -360,4 +360,4 @@ Basically, if you want to integrate Zircolite with **DFIR Orc** :
Some other tools (mostly untested) have included a way to run Zircolite :

- [Kape](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape) has a module for Zircolite : [here](https://github.com/EricZimmerman/KapeFiles/tree/master/Modules/Apps/GitHub)
- [Velociraptor](https://github.com/Velocidex/velociraptor) has an artifact for Zircolite : [here](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.zircolite/)
- [Velociraptor](https://github.com/Velocidex/velociraptor) has an artifact for Zircolite : [here](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.zircolite/)

0 comments on commit aad1e34

Please sign in to comment.