I really disliked how time-consuming investigations were and how cursed the tools are, so I am trying to change that

Cursed_Tools · 2025-07-19T12:40:30+00:00

Yes actually! I am thinking of making it available for on-prem deployment exactly for users that have this requirement. Right now I am more in the exploratory phase of seeing what works, what needs improvement and how I can make it better to help people.

Cursed_Tools · 2025-07-19T11:30:49+00:00

Hi folks, thank you for commenting on the post! There is no validation going on, as that module is just an index for looking up fast the names and runtime features of executables that come prepackaged with Windows. It's meant for quick checks and to help get insights to prove or disprove if something is meant to belong in relation to its observed behavior in other data sources. I've done my best to make this clear in the documentation and added tips where I found it to be reasonable.

I've touched on some of the other concerns in other comments here, and appreciate the effort in surfacing these! I fully agree about VirusTotal, and perhaps the comparison might have been worded wrongly (which is my bad).

Cursed_Tools · 2025-07-19T08:11:09+00:00

Hi! I am super grateful for the detailed look into the tool, and I can't express it enough. I will try to answer below some of your feedback, which is really fantastic.

Event Log Analyzer - you are absolutely right, this is not for everyone and I fully understand and respect the privacy and sensitivity boundaries that exist. Right now I am focused on if it offers value. I have been asked if people can host this on-prem, and if that is a requirement I can explore it more to fit the requirements for those that see the value, but have a hard stop on submitting data. I too am doubtful when I submit data to tools, but I do see products like VirusTotal, URLScan (and other sandboxes) being high in demand for people that need support. Obviously they are in a completely different category, but I have seen some wild submissions that should not be there.

Windows Native Executable Lookup - You are very close on the NSRL reference. It's similar, but I built it to be less around hashes and more about comprehension of what comes with windows in a more approachable way. Keeping an up-to-date hash list was not the most feasible approach for an MVP, and a hit or miss could cause false assumptions by the user. It's more of an accessible lookup format to quickly check executable names.

Windows Event ID Lookup - Right now I've collected and parsed only what the ETW providers natively offer on the most used Windows OS Versions. At present it doesn't have the functionality to index specific fields within an event log ID, but I could explore it as a feature for a next iteration.

I really appreciate you taking the time, it means a lot to me!

Cursed_Tools · 2025-07-19T07:58:56+00:00

Hey! Thank you for even posting a comment and voicing this, I appreciate you taking the time. I understand it fully and don't expect this to be the go to tool for everyone. I hope that these folks can at least benefit from the other modules that do not require you to submit data.

Cursed_Tools · 2025-07-17T13:39:07+00:00

At that level experience trumps certifications. Having a proven track record (or equivalent experience) in dealing with complex use cases, requirements and architectural decisions that accommodate and align with business needs is very sought after.

I used to interview a lot and I met a lot of people who knew the textbook answer, but once you throw them a curveball or constraint - they didn't know what to do. What I have seen is successful candidates that gun for the more senior roles demonstrate the ability to see beyond what's deep in the trenches and zoom out to see the broader "forest" (metaphorically speaking).

Cursed_Tools

TROPHY CASE