Improvements and updates to many sections (Velocidex#1257)

- Reviewed and improved the "server upgrades" section, in particular to
remind users that this is a good opportunity to reissue certs. Also
added some information about how this applies to only self-signed and
not certutil or self-issued, and how the auto-renewal mechanism works.
- Reviewed and updated the /clients/shell/ page to clarify that
Velociraptor does not (currently) provide remote shell sessions on
clients - a common misconception. Will need to revise this in the near
future to explain the new shell functionality.
- Added sections in "VQL fundamentals" for variables, comparison
operators and associated logic. Also added more info regarding quoted
strings.
- Added a page about setting up Hugo and the typical docs development
workflow.
- Updated test page with some more test content.
- Reviewed and improved the new "Guidelines for artifact contributions"
page.
- Made heading level consistent for examples throughout the
documentation.
- Improved the styling on link focus, which was specifically making the
main menu look a bit weird. Also removed underlining from the menu
style.
- Added a troubleshooting page for Collections & Hunts with an initial
item for the frequently-encountered grpc size limit error.
- Improved some wording on recently added content.
- Updated info in "Server event queues" to reflect recent changes.
- Updated CLI `fs` commands to reflect recent changes.

Author: predictiple

.wordlist.txt

@@ -2165,7 +2165,24 @@ VelociraptorServer
 <url-free> content/knowledge_base/tips/vql_error_catalogue.md
 --------------------------------------------------------------------------------
 alls
+
 severities
 Minio
 SDK
 stdin
+
+zcat
+LLMs
+workably
+Backreferences
+CamelCase
+Lookarounds
+PCRE
+comparator
+falsy
+lookahead
+lookaheads
+lookbehind
+storedQuery
+subexpression
+truthy

content/blog/2019/2019-09-11_velociraptor-s-client-side-buffer-3ce03697a4e6/_index.md

@@ -42,7 +42,7 @@ With the recent Velociraptor release, we can deploy monitoring VQL artifacts whi
 
 Because the file buffer allows the VQL engine to operate even when the client is not online, VQL event monitoring queries are not interrupted and continue to work autonomously without involvement from the server.
 
-#### Example: Office macros on thumb drive
+###### Example: Office macros on thumb drive
 
 An example of an event monitoring artifact is the **Windows.Detection.Thumbdrives.List** artifact. This artifact watches for any newly inserted USB thumb drive and simply lists the files on it. In some environments it is interesting to see any newly added files on a USB removable drive.
 

content/blog/2020/2020-03-07-extending-vql-plugins-7fb004cb6ec4/_index.md

@@ -46,7 +46,7 @@ While the above method is useful, it can only really wrap existing capabilities
 
 Although VQL already comes with a lot of built in plugins, sometimes what we actually want is not built into Velociraptor itself. This might be because we never thought of the need (please file [a bug for feature requests](https://github.com/Velocidex/velociraptor)!) or because it simply would not make sense to include the functionality directly inside Velociraptor.
 
-### Example — List Local Administrator Group Users
+###### Example: List Local Administrator Group Users
 
 For example, suppose we wanted to list all the users that belong to the local administrator group on Windows. This information is obviously important because local administrators are extremely powerful accounts, and are sometimes granted to users who need administrator access to their local workstation. Often this access is not recorded or tracked properly. Even worse, sometimes local user accounts are created with local administrator group membership allowing those accounts to be logged into without AD oversight or controls. See [this](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models#on-workstations), and [this](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts) for more information.
 
@@ -102,7 +102,7 @@ The whole VQL query and included powershell are now wrapped in an artifact, whic
 
 We effectively just extended the capabilities of the endpoint tool without needing to rebuild or deploy a new version of Velociraptor! This allows for unprecedented flexibility in our DFIR work.
 
-### Example — remediation
+###### Example: Remediation
 
 For the next example, suppose we discovered a widespread infection within our network. Typically, the malware installs various methods of re-infecting a host, and a common way is to install a malicious service ([See Att&ck Matrix 1035](https://attack.mitre.org/techniques/T1035/)). The Atomic Red Team has an example [simulation](https://github.com/redcanaryco/atomic-red-team/blob/8881bdb0029f186e7e06994e45ab1fb49e7adfa8/atomics/T1035/T1035.md):
 

content/blog/2020/2020-07-13-velociraptor-in-the-tool-age-d896dfe71b9/_index.md

@@ -33,7 +33,7 @@ external tools in your artifacts transparently — Velociraptor will
 ensure the tool is downloaded to the endpoint if needed and is
 available for use in your VQL.
 
-### Example: Hollows hunter
+###### Example: Hollows hunter
 
 To illustrate the process, we will use the [hollows hunter
 tool](https://github.com/hasherezade/hollows_hunter) as an

content/blog/2020/2020-07-14-triage-with-velociraptor-pt-4-cf0e60810d1e/_index.md

@@ -100,7 +100,7 @@ reusable VQL in different contexts.
 
 Let’s try to collect the same artifact we did previously — the **hollows hunter** artifact. Just to recap the artifact is shown below
 
-```vql
+```yaml
 name: Custom.Windows.Detection.ProcessHollowing
 description: |
    Use hollows_hunter to detect suspicious process injections.

content/blog/2020/2020-08-16-profiling-the-beast-58913437fd16/_index.md

@@ -46,7 +46,7 @@ Velociraptor exposes this functionality by simply offering the **profile()** VQL
 
 In the following example we examine how profiling can be used to gain an understanding of what is going on under the covers.
 
-### Example — recursive file hash
+###### Example: Recursive file hash
 
 To illustrate this process I will launch a CPU heavy collection on my endpoint. I create a new artifact collection of the **Windows.Search.FileFinder** artifacts, searching recursively for all files below *C:\Users* and hashing them all.
 

content/blog/2021/2021-01-29-disabled-event-log-files-a3529a08adbe/_index.md

@@ -13,7 +13,7 @@ Windows information security techniques are heavily reliant on the availability
 
 But how reliable really are event logs? I was playing around with the Windows Event Viewer to understand how event logs can be interfered with in practice. We previously covered the general structure of the Windows Event Log system, so you might want to have a quick read of [that post](/blog/2019/2019-11-12_windows-event-logs-d8d8e615c9ca/) before you dive into this one.
 
-### Example: BITS transfer
+###### Example: BITS transfer
 
 For this post I will use the example of a BITS transfer using bitsadmin.exe. BITS is a transfer service built into the Windows operating system, normally used to fetch windows (or application) updates. However, is it also commonly used by threat actors to deliver malicious payloads because BITS is typically trusted by endpoint tools (since it is a standard windows service). See [Mitre Att&ck T1197](https://attack.mitre.org/techniques/T1197/).
 

content/blog/2021/2021-02-02-detecting-dll-hijacking-with-vql-e9a735354257/_index.md

@@ -22,7 +22,7 @@ One of the simplest technique, is to simply create a DLL with a bunch of forward
 
 In this case, the export table contains a forward entry — i.e. it forwards the loader into another DLL. Nick Landers published a tool to help build such a dll [https://github.com/monoxgas/Koppeling](https://github.com/monoxgas/Koppeling)
 
-### Example Injection
+###### Example: Injection
 
 I will use the Koppeling tool above to build a simple DLL forwarder as per the example in the repository.
 

content/blog/2021/2021-06-09-verifying-executables-on-windows-1b3518122d3c/_index.md

@@ -70,7 +70,7 @@ As we can see in the above screenshot, the authenticode standard provides an exp
 
 None of the calculated hashes is the same as the “ExpectedHash” provided in the Authenticode signature! This is because Authenticode hashes do not cover the entire PE file, as regular hashes do. Authenticode hashes only cover specific PE sections, in a specific order. They specifically allow PE sections to be reordered, and some regions in the file to be modified.
 
-{{% notice warning %}}
+{{% notice info %}}
 Many people find it surprising that signed PE files can be modified without invalidating the signature.
 {{% /notice %}}
 

content/blog/2023/2023-01-13-tracking-an-adversary-in-realtime/_index.md

@@ -18,7 +18,7 @@ engagements when the deployed Endpoint Detection and Response (EDR)
 solution lacked certain detection capabilities, or when it was not
 deployed.
 
-## Example 1: Track commands
+###### Example 1: Track commands
 
 Adversaries often use commands to conduct their malicious
 activity. Receiving an alert when these commands are launched is very
@@ -111,7 +111,7 @@ Because I wanted reliable detection I chose Sysmon instead of directly
 consuming the process events from the aforementioned ETW provider.
 
 
-## Example 2: Track compromised accounts
+###### Example 2: Track compromised accounts
 
 The Windows Event Log is a great log source that enables you to track
 adversary activity in real-time. Due to the Event Log tracker of