Documentation
¶
Index ¶
- Constants
- Variables
- func AddLogObjectType(name string, obj jsonlog.Object)
- type AclAccess
- type AclEntries
- type AclEntry
- type AmcacheEntry
- type AnalysisResult
- type AntiVirusExclude
- type AntiVirusProduct
- type ArrowStringList
- type AtJob
- type AuditLogEntry
- type AuthorizedKeysEntry
- type AutorunEntry
- type BeaconConfig
- type CipherParameters
- type Context
- type ContextObject
- type CronJob
- type DeepDiveChunk
- type DetectionAddEntry
- type DnsCacheEntry
- type DoublePulsarHandshake
- type EmbeddedObject
- type EmsDetectionEntry
- type EndOfLifeReport
- type EnvironmentVariable
- type EstimatedImpactEntry
- type Event
- type EventlogProcessStart
- type ExecutionTimes
- type Existence
- type File
- type FileHashes
- type FileModeType
- type Filetimes
- type Finding
- type FirewallRule
- type FirstBytes
- type GroupsXmlUser
- type HexNumber
- type HostInfo
- type HostsFileEntry
- type HotfixSummary
- type HourDuration
- type InitdService
- type InterfaceInfo
- type InvalidUnicodeString
- type Issue
- type JournaldEntry
- type JumplistEntry
- type KeyValue
- type KeyValueList
- func (d KeyValueList) Find(key string) *string
- func (d KeyValueList) JSONSchemaAlias() any
- func (d KeyValueList) MarshalJSON() ([]byte, error)
- func (d KeyValueList) RelativeJsonPointer(pointee any) jsonpointer.Pointer
- func (d KeyValueList) RelativeTextPointer(pointee any) (string, bool)
- func (d KeyValueList) String() string
- func (d *KeyValueList) UnmarshalJSON(data []byte) error
- type KnowledgeDBEntry
- type LicenseInfo
- type LinkInfo
- type LinuxKernelModule
- type LogEventMetadata
- type LogLevel
- type LogLine
- type LogObjectHeader
- type LoggedInUser
- type LsaSession
- type MatchData
- type MatchString
- type MatchStrings
- type Message
- type MessageField
- type MessageFields
- type MftFileEntry
- type MountInfo
- type MsOfficeConnectionCacheEntry
- type NetworkConnectingThread
- type NetworkConnection
- type NetworkConnections
- type NetworkSession
- type NetworkShare
- type PSMacEntry
- type PeInfo
- type PeSieveReport
- type PermissionMask
- type Permissions
- type PlatformInfo
- type PlatformInfoLinux
- type PlatformInfoMacos
- type PlatformInfoWindows
- type PluginFinding
- type PluginString
- type PluginStructuredData
- type PrefetchInfo
- type Process
- type ProcessConnection
- type ProcessConnectionObject
- type ProcessConnections
- type ProcessHandle
- type ProcessInfo
- type ProcessListenPorts
- type ProfileFolder
- type QuarantineEvent
- type RawFirewallRule
- type Reason
- type RecycleBinIndexFile
- type RegisteredDebugger
- type RegistryKey
- type RegistryScheduledTask
- type RegistryValue
- type ReportableObject
- type Rootkit
- type RwxPermissions
- type SRUMResourceUsageEntry
- type ScanInfo
- type ScannerOutput
- type ScheduledTask
- type SdbEntry
- type SdnQueryEntry
- type Section
- type Sections
- type ShellbagEntry
- type ShimCache
- type ShimCacheEntry
- type Sigclass
- type Signature
- type SignatureInfo
- type Sigtype
- type SpaceSeparatedList
- type SparseData
- type SparseDataElement
- type StringList
- type SystemType
- type SystemdService
- type TeamViewerPassword
- type Thread
- type TomcatUser
- type UALEntry
- type UnixPermissions
- type UnixUser
- type UnknownObject
- type UsnEntry
- type Version
- type VersionInfo
- type VirusTotalHistory
- type VirusTotalInformation
- type WebDownload
- type WebPageVisit
- type WerCrashReport
- type WindowsEvent
- type WindowsEventlogEntry
- type WindowsMutex
- type WindowsPermissions
- type WindowsPipe
- type WindowsPipeList
- type WindowsService
- type WindowsUser
- type WmiElement
- type WmiStartupCommand
Constants ¶
View Source
const ( JsonV1 = common.JsonV1 JsonV2 = common.JsonV2 JsonV3 = common.JsonV3 Error = common.Error Alert = common.Alert Warning = common.Warning Notice = common.Notice Info = common.Info Debug = common.Debug )
View Source
const ( // IssueCategoryTruncated indicates that a value was truncated due to its size. IssueCategoryTruncated = "truncated" // IssueCategoryOutOfRange indicates that a value can't be represented in the format that the log uses. IssueCategoryOutOfRange = "out_of_range" )
View Source
const ModifierWithMilliseconds = "with_millis"
View Source
const TypeAuditLogEntry = "audit log entry"
View Source
const TypeEventlogEntry = "eventlog entry"
View Source
const TypeJournaldEntry = "journal log entry"
View Source
const TypeLogLine = "log line"
View Source
const TypeMsOfficeConnectionCacheEntry = "MS Office connection cache entry"
View Source
const TypeProcessStart = "process start"
View Source
const TypeRegisteredDebugger = "registered debugger"
View Source
const TypeRegistryKey = "registry key"
View Source
const TypeRegistryValue = "registry value"
Variables ¶
View Source
var ErrNoLogObject = errors.New("JSON does not contain a log object")
View Source
var LogObjectTypes = map[string]jsonlog.Object{}
LogObjectTypes is a map of all log object types. Each log object type must be registered using AddLogObjectType.
Functions ¶
func AddLogObjectType ¶
AddLogObjectType registers a new log object type. It panics if a log object type with the same name is already registered.
Types ¶
type AclAccess ¶
type AclAccess byte
func (AclAccess) JSONSchemaAlias ¶
func (AclAccess) MarshalJSON ¶
func (*AclAccess) UnmarshalJSON ¶
type AclEntries ¶
type AclEntries []AclEntry
func (AclEntries) String ¶
func (a AclEntries) String() string
type AclEntry ¶
type AmcacheEntry ¶
type AmcacheEntry struct {
jsonlog.ObjectHeader
File *File `json:"file" textlog:"file,expand"`
SHA1 string `json:"sha1" textlog:"sha1"`
Size int64 `json:"size" textlog:"size"`
Desc string `json:"desc" textlog:"desc"`
FirstRun time.Time `json:"first_run" textlog:"first_run"`
Created time.Time `json:"created" textlog:"created"`
Product string `json:"product" textlog:"product"`
Company string `json:"company" textlog:"company"`
}
func NewAmcacheEntry ¶
func NewAmcacheEntry() *AmcacheEntry
type AnalysisResult ¶
type AntiVirusExclude ¶
type AntiVirusExclude struct {
LogObjectHeader
Type string `json:"exclusion_type" textlog:"type"`
Exclusion string `json:"exclusion" textlog:"exclusion"`
}
func NewAntiVirusExclude ¶
func NewAntiVirusExclude(exclusionType string, exclusion string) *AntiVirusExclude
type AntiVirusProduct ¶
type AntiVirusProduct struct {
LogObjectHeader
Name string `json:"name" textlog:"name"`
Status string `json:"status" textlog:"status"`
SignatureStatus string `json:"signature_status" textlog:"signature_status"`
Path string `json:"path" textlog:"path"`
}
func NewAntiVirusProduct ¶
func NewAntiVirusProduct(name string) *AntiVirusProduct
type ArrowStringList ¶
type ArrowStringList []string
func (ArrowStringList) RelativeJsonPointer ¶
func (a ArrowStringList) RelativeJsonPointer(pointee any) jsonpointer.Pointer
func (ArrowStringList) RelativeTextPointer ¶
func (a ArrowStringList) RelativeTextPointer(pointee any) (string, bool)
func (ArrowStringList) String ¶
func (a ArrowStringList) String() string
type AtJob ¶
type AtJob struct {
jsonlog.ObjectHeader
Command string `json:"command" textlog:"command"`
Start string `json:"start" textlog:"start"`
User string `json:"user" textlog:"user"`
RunLevel string `json:"run_level" textlog:"runlevel"`
LogonType string `json:"logon_type" textlog:"logontype"`
Image *File `json:"image" textlog:"image,expand"`
}
type AuditLogEntry ¶
type AuditLogEntry struct {
jsonlog.ObjectHeader
Entry KeyValueList `json:"entry" textlog:"entry"`
}
func NewAuditLogEntry ¶
func NewAuditLogEntry() *AuditLogEntry
type AuthorizedKeysEntry ¶
type AuthorizedKeysEntry struct {
jsonlog.ObjectHeader
Type string `json:"key_type" textlog:"type"`
Key string `json:"key" textlog:"key"`
Comment string `json:"comment" textlog:"comment"`
Line string `json:"line" textlog:"line"`
}
func NewAuthorizedKeysEntry ¶
func NewAuthorizedKeysEntry() *AuthorizedKeysEntry
type AutorunEntry ¶
type AutorunEntry struct {
jsonlog.ObjectHeader
Type string `json:"autorun_type" textlog:"autorun_type"`
Location string `json:"location" textlog:"location"`
Image *File `json:"image" textlog:",expand"`
Arguments string `json:"arguments" textlog:"arguments"`
Entry string `json:"entry" textlog:"entry"`
LaunchString string `json:"launch_string" textlog:"launch_string"`
OldMd5 string `json:"old_md5,omitempty" textlog:"md5_before,omitempty"`
}
func NewAutorunEntry ¶
func NewAutorunEntry() *AutorunEntry
type BeaconConfig ¶
type BeaconConfig struct {
Type string `json:"type" textlog:"type"`
C2 string `json:"c2" textlog:"c2"`
Port string `json:"port" textlog:"port"`
SpawnTo string `json:"spawn_to" textlog:"spawnto"`
InjectionProcess string `json:"injection_process" textlog:"injection_process"`
Pipename string `json:"pipe_name" textlog:"pipename"`
UserAgent string `json:"user_agent" textlog:"user_agent"`
Proxy string `json:"proxy" textlog:"proxy"`
// FullConfig is the full configuration of the beacon.
// For now, it is filled with strings only until we refactor the parsing module.
FullConfig map[string]any `json:"full_config" textlog:"-"`
// CipherParameters contains information about how the beacon is hidden in the file.
CipherParameters CipherParameters `json:"cipher_parameters" textlog:"cipher_parameters,expand,omitempty"`
}
type CipherParameters ¶
type CipherParameters struct {
XafEncoded bool `json:"xaf_encoded" textlog:"xaf_encoded"`
XafEncodingAnchor int64 `json:"xaf_encoding_anchor" textlog:"xaf_encoding_anchor,omitempty"`
XorKey byte `json:"xor_key" textlog:"xor_key"`
BeaconOffset uint64 `json:"beacon_offset" textlog:"beacon_offset"`
BeaconLength uint64 `json:"beacon_length" textlog:"beacon_length"`
BlockStart FirstBytes `json:"block_start" textlog:"block_start"`
PairwiseSwapped bool `json:"pairwise_swapped" textlog:"pairwise_swapped"`
}
type Context ¶
type Context []ContextObject
func (Context) MarshalTextLog ¶
func (c Context) MarshalTextLog(t jsonlog.TextlogFormatter) jsonlog.TextlogEntry
type ContextObject ¶
type ContextObject struct {
Object ReportableObject `json:"object" textlog:",expand"`
RelationType string `json:"relation_type"` // RelationType is used to specify the type of relation, e.g. "derives from" or "related to"
RelationName string `json:"relation_name"` // RelationName is used to specify the name of the relation, e.g. "parent". It is optional.
Unique bool `json:"unique"` // Unique indicates whether the relation is unique, i.e. there can only be one object with this relation type / name in the context.
}
func (*ContextObject) UnmarshalJSON ¶
func (c *ContextObject) UnmarshalJSON(data []byte) error
type CronJob ¶
type CronJob struct {
LogObjectHeader
User string `json:"user" textlog:"user"`
Schedule string `json:"schedule" textlog:"schedule"`
Command string `json:"command" textlog:"command"`
}
func NewCronjob ¶
func NewCronjob() *CronJob
type DeepDiveChunk ¶
type DeepDiveChunk struct {
jsonlog.ObjectHeader
ChunkOffset HexNumber `json:"chunk_offset" textlog:"chunk_offset"`
ChunkEnd HexNumber `json:"chunk_end" textlog:"chunk_end"`
Content *SparseData `json:"content" textlog:"content,expand"`
// BeaconConfig contains information about a Cobalt Strike Beacon if the file contains one.
BeaconConfig *BeaconConfig `json:"beacon_config,omitempty" textlog:"beacon,expand,omitempty"`
}
func NewDeepDiveChunk ¶
func NewDeepDiveChunk() *DeepDiveChunk
type DetectionAddEntry ¶
type DetectionAddEntry struct {
jsonlog.ObjectHeader
Time time.Time `json:"time" textlog:"time"`
ThreatName string `json:"threat_name" textlog:"threat_name"`
Detected KeyValueList `json:"detected" textlog:",expand"`
}
DetectionAddEntry represents a detection event in the Microsoft Protection Log.
func NewDetectionAddEntry ¶
func NewDetectionAddEntry(t time.Time, threat string, detected KeyValueList) *DetectionAddEntry
type DnsCacheEntry ¶
type DnsCacheEntry struct {
LogObjectHeader
Host string `json:"host" textlog:"entry"`
IP string `json:"ip" textlog:"ip"`
}
func NewDnsCacheEntry ¶
func NewDnsCacheEntry(host string, ip string) *DnsCacheEntry
type DoublePulsarHandshake ¶
type DoublePulsarHandshake struct {
LogObjectHeader
Type string `json:"handshake_type" textlog:"type"` // SMB or RDP
Key HexNumber `json:"key,omitempty" textlog:"key,omitempty"`
}
func NewDoublePulsarHandshake ¶
func NewDoublePulsarHandshake(handshakeType string, key uint64) *DoublePulsarHandshake
type EmbeddedObject ¶
EmbeddedObject is a utility type for unmarshalling THOR log objects from JSON.
func (*EmbeddedObject) UnmarshalJSON ¶
func (e *EmbeddedObject) UnmarshalJSON(data []byte) error
type EmsDetectionEntry ¶
type EmsDetectionEntry struct {
jsonlog.ObjectHeader
Time time.Time `json:"time" textlog:"time"`
ThreatName string `json:"threat_name" textlog:"threat"`
Pid int `json:"pid" textlog:"pid"`
}
EmsDetectionEntry represents an event in the Microsoft Protection Log that lists a detection on process behaviour.
func NewEmsDetection ¶
func NewEmsDetection(timestamp time.Time, threatName string, pid int) *EmsDetectionEntry
type EndOfLifeReport ¶
type EndOfLifeReport struct {
jsonlog.ObjectHeader
Version string `json:"version" textlog:"version"`
EndOfLife time.Time `json:"end_of_life" textlog:"end_time"`
}
func NewEndOfLifeReport ¶
func NewEndOfLifeReport(version string, endOfLife time.Time) *EndOfLifeReport
type EnvironmentVariable ¶
type EnvironmentVariable struct {
LogObjectHeader
Variable string `json:"variable" textlog:"var"`
Value string `json:"value" textlog:"value"`
}
func NewEnvironmentVariable ¶
func NewEnvironmentVariable(variable string, value string) *EnvironmentVariable
type EstimatedImpactEntry ¶
type EstimatedImpactEntry struct {
jsonlog.ObjectHeader
Time time.Time `json:"time" textlog:"time"`
ProcessImageName string `json:"image" textlog:"image"`
Pid int `json:"pid" textlog:"pid"`
AccessedFile string `json:"file" textlog:"file"`
}
EstimatedImpactEntry represents an event in the Microsoft Protection Log that lists the impact of a specific file on the monitoring of a process.
func NewEstimatedImpactEntry ¶
type EventlogProcessStart ¶
type EventlogProcessStart struct {
jsonlog.ObjectHeader
Process string `json:"process" textlog:"process"`
StartTimes []time.Time `json:"start_times" textlog:"-"`
Count int `json:"-" textlog:"count"`
}
func NewEventlogProcessStart ¶
func NewEventlogProcessStart(process string, startTimes []time.Time) *EventlogProcessStart
type ExecutionTimes ¶
func (ExecutionTimes) MarshalTextLog ¶
func (e ExecutionTimes) MarshalTextLog(t jsonlog.TextlogFormatter) jsonlog.TextlogEntry
type Existence ¶
type Existence string
const ( ExistenceYes Existence = "yes" ExistenceNo Existence = "no" ExistenceUnknown Existence = "unknown" ExistenceDisappeared Existence = "disappeared" // Unknown because disappeared ExistenceExpansionInfeasible Existence = "expansion_infeasible" // Unknown because expansion ExistenceNonLocal Existence = "nonlocal" // Unknown because not local ExistenceExcluded Existence = "excluded" // Unknown because excluded )
type File ¶
type File struct {
jsonlog.ObjectHeader
// Path is the full path of the file (possibly including archives, e.g. /path/to/archive.zip/file.txt)
Path string `json:"path" textlog:"file"`
// Exists is a flag indicating whether the file exists or not. This is useful for files that are referenced elsewhere, but do not necessarily exist.
Exists Existence `json:"exists" textlog:"exists,omitempty"`
// Extension is the file extension of the file (e.g. .txt, .exe, etc.)
Extension string `json:"extension" textlog:"extension,omitempty"`
// FileMode is the type of the file (e.g. file, directory, symlink, etc.)
FileMode FileModeType `json:"-" textlog:"-"`
// MagicHeader is the magic header of the file (e.g. PE, ZIP, etc.)
MagicHeader string `json:"magic_header" textlog:"type,omitempty"`
// FileHashes contains the MD5, SHA1, and SHA256 hashes of the file, provided that the file is regular and could be read
Hashes *FileHashes `json:"hashes,omitempty" textlog:",expand,omitempty"`
// FirstBytes contains the first bytes of the file
FirstBytes FirstBytes `json:"first_bytes,omitempty" textlog:"firstbytes,omitempty"`
// Filetimes contains the file times of the file (e.g. created, modified, accessed, etc.)
Filetimes *Filetimes `json:"file_times,omitempty" textlog:",expand,omitempty"`
Size uint64 `json:"size" textlog:"size,omitempty"`
// Permissions contains the permissions of the file. This can be either Unix or Windows permissions.
Permissions Permissions `json:"permissions" textlog:",expand,omitempty"`
// PeInfo contains information about the PE file, if the file is a PE file
PeInfo *PeInfo `json:"pe_info,omitempty" textlog:",expand,omitempty"`
// Target is only set for symlinks and contains the target path of the symlink
Target string `json:"target,omitempty" textlog:"target,omitempty"`
// UnpackSource is set for files that originate from another, unpacked file (possibly with multiple layers of unpacking)
UnpackSource ArrowStringList `json:"unpack_source,omitempty" textlog:"unpack_source,omitempty" jsonschema:"nullable"`
// LinkInfo contains information about the link, if the file is a windows link file (.lnk)
LinkInfo *LinkInfo `json:"link_info,omitempty" textlog:",expand,omitempty"`
// RecycleBinInfo contains information about the file if it was in the recycle bin
RecycleBinInfo *RecycleBinIndexFile `json:"recycle_bin_info,omitempty" textlog:",expand,omitempty"`
// WerInfo contains information about the file if it was a Windows Error Reporting crash report
WerInfo *WerCrashReport `json:"wer_info,omitempty" textlog:",expand,omitempty"`
// Content contains extracts from the content of the file, typically focusing on any matched patterns.
Content *SparseData `json:"content,omitempty" textlog:"content,expand,omitempty"`
// BeaconConfig contains information about a Cobalt Strike Beacon if the file contains one.
BeaconConfig *BeaconConfig `json:"beacon_config,omitempty" textlog:"beacon,expand,omitempty"`
// VirusTotalInfo contains information about the file from VirusTotal
VirusTotalInfo *VirusTotalInformation `json:"virustotal,omitempty" textlog:"virustotal,expand,omitempty"`
}
func (*File) UnmarshalJSON ¶
type FileHashes ¶
type FileModeType ¶
type FileModeType string
const ( Undefined FileModeType = "undefined" Directory FileModeType = "directory" Irregular FileModeType = "irregular" Symlink FileModeType = "symlink" ModeFile FileModeType = "file" )
type Filetimes ¶
type Filetimes struct {
Mtime time.Time `json:"modified" textlog:"modified,with_millis"`
Atime *time.Time `json:"accessed,omitempty" textlog:"accessed,omitempty,with_millis"`
Ctime *time.Time `json:"changed,omitempty" textlog:"changed,omitempty,with_millis"`
Btime *time.Time `json:"created,omitempty" textlog:"created,omitempty,with_millis"`
// Timestamps that are not always available, but only set if timestomping is detected
UsnChangeTime *time.Time `json:"usn_change_time,omitempty" textlog:"usn_change_time,omitempty,with_millis"`
MftFileNameModified *time.Time `json:"mft_file_name_modified,omitempty" textlog:"mft_file_name_modified,omitempty,with_millis"`
MftFileNameAccessed *time.Time `json:"mft_file_name_accessed,omitempty" textlog:"mft_file_name_accessed,omitempty,with_millis"`
MftFileNameChanged *time.Time `json:"mft_file_name_changed,omitempty" textlog:"mft_file_name_changed,omitempty,with_millis"`
MftFileNameCreated *time.Time `json:"mft_file_name_created,omitempty" textlog:"mft_file_name_created,omitempty,with_millis"`
}
type Finding ¶
type Finding struct {
jsonlog.ObjectHeader
Meta LogEventMetadata `json:"meta" textlog:",expand"`
Text string `json:"message" textlog:"message"`
Subject ReportableObject `json:"subject" textlog:",expand"`
Score int64 `json:"score" textlog:"score"`
Reasons []Reason `json:"reasons" textlog:",expand"`
ReasonCount int `json:"reason_count,omitempty" textlog:"reasons_count,omitempty"`
EventContext Context `json:"context" textlog:",expand" jsonschema:"nullable"`
Issues []Issue `json:"issues,omitempty" textlog:"-"`
LogVersion common.Version `json:"log_version"`
}
func NewFinding ¶
func NewFinding(subject ReportableObject, message string) *Finding
func (*Finding) Metadata ¶
func (f *Finding) Metadata() *LogEventMetadata
func (*Finding) UnmarshalJSON ¶
type FirewallRule ¶
type FirewallRule struct {
jsonlog.ObjectHeader
Path string `json:"path" textlog:"path"`
LocalPorts StringList `json:"local_ports" textlog:"lport" jsonschema:"nullable"`
RemotePorts StringList `json:"remote_ports" textlog:"rport" jsonschema:"nullable"`
LocalAddresses StringList `json:"local_ips" textlog:"lip" jsonschema:"nullable"`
RemoteAddresses StringList `json:"remote_ips" textlog:"rip" jsonschema:"nullable"`
Name string `json:"name" textlog:"name"`
Allow bool `json:"allow" textlog:"allow"`
Enabled bool `json:"enabled" textlog:"enabled"`
Inbound bool `json:"inbound" textlog:"inbound"`
Protocol string `json:"protocol" textlog:"protocol"`
}
func NewFirewallRule ¶
func NewFirewallRule() *FirewallRule
type FirstBytes ¶
type FirstBytes []byte
func (FirstBytes) JSONSchemaAlias ¶
func (f FirstBytes) JSONSchemaAlias() any
func (FirstBytes) MarshalJSON ¶
func (f FirstBytes) MarshalJSON() ([]byte, error)
func (FirstBytes) String ¶
func (f FirstBytes) String() string
func (*FirstBytes) UnmarshalJSON ¶
func (f *FirstBytes) UnmarshalJSON(data []byte) error
type GroupsXmlUser ¶
type GroupsXmlUser struct {
jsonlog.ObjectHeader
User string `json:"user" textlog:"user"`
Password string `json:"password" textlog:"password"`
}
func NewGroupsXmlPassword ¶
func NewGroupsXmlPassword(user, password string) *GroupsXmlUser
type HostInfo ¶
type HostInfo struct {
jsonlog.ObjectHeader
Hostname string `json:"hostname" textlog:"hostname"`
Domain string `json:"domain" textlog:"domain,omitempty"`
Platform PlatformInfo `json:"platform" textlog:",expand"`
Uptime time.Duration `json:"uptime" textlog:"uptime"`
Cpus int `json:"cpu_count" textlog:"cpu_count"`
Memory uint64 `json:"memory" textlog:"memory"`
Timezone string `json:"timezone" textlog:"timezone"`
Language string `json:"language" textlog:"language"`
Interfaces []InterfaceInfo `json:"interfaces" textlog:",expand"`
SystemType SystemType `json:"system_type" textlog:"system_type"`
MountPoints []MountInfo `json:"mount_points"`
}
func NewHostInfo ¶
func NewHostInfo() *HostInfo
func (*HostInfo) UnmarshalJSON ¶
type HostsFileEntry ¶
type HostsFileEntry struct {
LogObjectHeader
Host string `json:"host" textlog:"host"`
IP string `json:"ip" textlog:"ip"`
}
func NewHostsFileEntry ¶
func NewHostsFileEntry(host string, ip string) *HostsFileEntry
type HotfixSummary ¶
type HotfixSummary struct {
jsonlog.ObjectHeader
LastHotfix time.Time `json:"last_hotfix" textlog:"last_hotfix"`
}
func NewHotfixSummary ¶
func NewHotfixSummary(lastHotfix time.Time) *HotfixSummary
type HourDuration ¶
func (HourDuration) String ¶
func (h HourDuration) String() string
type InitdService ¶
type InitdService struct {
LogObjectHeader
File *File `json:"file" textlog:"file,expand"`
}
func NewInitdService ¶
func NewInitdService() *InitdService
type InterfaceInfo ¶
type InvalidUnicodeString ¶
type InvalidUnicodeString string
func (InvalidUnicodeString) MarshalJSON ¶
func (s InvalidUnicodeString) MarshalJSON() ([]byte, error)
type Issue ¶
type Issue struct {
// Affected is the path to the substructure that is related to the issue.
// If the issue can't be related to a specific substructure, this may be null.
Affected *jsonlog.Reference `json:"affected" textlog:"affected"`
// Category is a human-readable description of the issue category.
Category string `json:"category" textlog:"category"`
// Description is a human-readable description of the issue.
Description string `json:"description" textlog:"description"`
}
Issue describes a problem that occurred during the analysis of a scan target like a file or process. Often this will be an issue with displaying the results, e.g. the results may be truncated due to size limitations.
type JournaldEntry ¶
type JournaldEntry struct {
jsonlog.ObjectHeader
Time time.Time `json:"time" textlog:"time"`
Details KeyValueList `json:"details" textlog:"entry"`
}
func NewJournaldEntry ¶
func NewJournaldEntry() *JournaldEntry
type JumplistEntry ¶
type JumplistEntry struct {
jsonlog.ObjectHeader
Path string `json:"path" textlog:"path"`
Pinned bool `json:"pinned" textlog:"pinned"`
LastAccess time.Time `json:"last_access" textlog:"last_access"`
AccessCount int `json:"access_count" textlog:"access_count"`
NetbiosName string `json:"netbios_name" textlog:"netbios_name"`
ObjectID uuid.UUID `json:"object_id" textlog:"object_id"`
VolumeID uuid.UUID `json:"volume_id" textlog:"volume_id"`
BirthVolumeID uuid.UUID `json:"birth_volume_id" textlog:"birth_volume_id"`
EntryID uint64 `json:"entry_id" textlog:"entry_id"`
Checksum uint64 `json:"checksum" textlog:"checksum"`
}
func NewJumplistEntry ¶
func NewJumplistEntry(path string) *JumplistEntry
type KeyValueList ¶
type KeyValueList struct {
KvList []KeyValue
}
func (KeyValueList) Find ¶
func (d KeyValueList) Find(key string) *string
func (KeyValueList) JSONSchemaAlias ¶
func (d KeyValueList) JSONSchemaAlias() any
func (KeyValueList) MarshalJSON ¶
func (d KeyValueList) MarshalJSON() ([]byte, error)
func (KeyValueList) RelativeJsonPointer ¶
func (d KeyValueList) RelativeJsonPointer(pointee any) jsonpointer.Pointer
func (KeyValueList) RelativeTextPointer ¶
func (d KeyValueList) RelativeTextPointer(pointee any) (string, bool)
func (KeyValueList) String ¶
func (d KeyValueList) String() string
func (*KeyValueList) UnmarshalJSON ¶
func (d *KeyValueList) UnmarshalJSON(data []byte) error
type KnowledgeDBEntry ¶
type KnowledgeDBEntry struct {
LogObjectHeader
Entry string `json:"entry" textlog:"entry"`
Created time.Time `json:"created" textlog:"created"`
Started time.Time `json:"started" textlog:"started"`
Duration time.Duration `json:"duration" textlog:"duration"`
PrimaryKey int64 `json:"primary_key" textlog:"primary_key"`
}
func NewKnowledgeDBEntry ¶
func NewKnowledgeDBEntry() *KnowledgeDBEntry
type LicenseInfo ¶
type LicenseInfo struct {
Owner string `json:"owner" textlog:"owner"`
Type string `json:"license_type" textlog:"type"`
Starts string `json:"starts" textlog:"starts"`
Expires string `json:"expires" textlog:"expires"`
Scanner string `json:"scanner" textlog:"scanner"`
Hash string `json:"hash" textlog:"hash"`
}
type LinkInfo ¶
type LinkInfo struct {
Target string `json:"target" textlog:"target"`
Arguments string `json:"arguments" textlog:"arguments"`
CommandLine string `json:"command_line" textlog:"command_line"`
CreationTime time.Time `json:"created" textlog:"-"`
WriteTime time.Time `json:"modified" textlog:"-"`
AccessTime time.Time `json:"accessed" textlog:"-"`
}
type LinuxKernelModule ¶
type LinuxKernelModule struct {
LogObjectHeader
Name string `json:"name" textlog:"name"`
Size int `json:"size,omitempty" textlog:"size,omitempty"`
// Whether this modules was compiled into the kernel
IncludedInKernel bool `json:"included_in_kernel" textlog:"included_in_kernel"`
Refcount int `json:"ref_count"`
UsedBy StringList `json:"used_by"`
Version string `json:"version"`
Parameters KeyValueList `json:"parameters,omitempty" textlog:"parameters,omitempty"`
File *File `json:"file" textlog:"file,expand,omitempty"`
Description StringList `json:"description" textlog:"description"`
Author string `json:"author" textlog:"author"`
}
func NewLinuxKernelModule ¶
func NewLinuxKernelModule(name string) *LinuxKernelModule
type LogEventMetadata ¶
type LogEventMetadata = common.LogEventMetadata
type LogLine ¶
type LogLine struct {
jsonlog.ObjectHeader
LineIndex uint64 `json:"line_index" textlog:"-"`
Line string `json:"line" textlog:"line"`
}
func NewLogLine ¶
func NewLogLine() *LogLine
type LogObjectHeader ¶
type LogObjectHeader = jsonlog.ObjectHeader
type LoggedInUser ¶
type LoggedInUser struct {
LogObjectHeader
User string `json:"user" textlog:"user"`
Server string `json:"server,omitempty" textlog:"server,omitempty"`
Domain string `json:"domain,omitempty" textlog:"domain,omitempty"`
OtherDomains string `json:"other_domains,omitempty" textlog:"other_domains,omitempty"`
}
func NewLoggedInUser ¶
func NewLoggedInUser(user string) *LoggedInUser
type LsaSession ¶
type LsaSession struct {
LogObjectHeader
LsaSession string `json:"lsa_session" textlog:"lsa_session"`
User string `json:"user" textlog:"user"`
AuthPackage string `json:"auth_package" textlog:"auth_package"`
Type string `json:"session_type" textlog:"type"`
LogonTime time.Time `json:"logon_time" textlog:"logon_time"`
Domain string `json:"domain" textlog:"domain"`
Server string `json:"server" textlog:"server"`
}
func NewLsaSession ¶
func NewLsaSession() *LsaSession
type MatchData ¶
func (MatchData) JSONSchemaAlias ¶
func (MatchData) MarshalJSON ¶
func (MatchData) QuotedString ¶
func (*MatchData) UnmarshalJSON ¶
type MatchString ¶
type MatchString struct {
Match MatchData `json:"data"`
Context *MatchData `json:"context,omitempty"`
Offset *uint64 `json:"offset,omitempty"`
Field *jsonlog.Reference `json:"field,omitempty"`
HideOffset bool `json:"-"`
}
func (MatchString) String ¶
func (f MatchString) String() string
type MatchStrings ¶
type MatchStrings []MatchString
func (MatchStrings) String ¶
func (f MatchStrings) String() string
type Message ¶
type Message struct {
jsonlog.ObjectHeader
Meta LogEventMetadata `json:"meta" textlog:",expand"`
Text string `json:"message" textlog:"message"`
Fields MessageFields `json:"fields" textlog:",expand" jsonschema:"nullable"`
LogVersion common.Version `json:"log_version"`
}
func NewMessage ¶
func NewMessage(meta LogEventMetadata, message string, kvs ...any) *Message
func (*Message) Metadata ¶
func (m *Message) Metadata() *LogEventMetadata
type MessageField ¶
type MessageFields ¶
type MessageFields []MessageField
func (MessageFields) JSONSchemaAlias ¶
func (o MessageFields) JSONSchemaAlias() any
func (MessageFields) MarshalJSON ¶
func (o MessageFields) MarshalJSON() ([]byte, error)
func (MessageFields) MarshalTextLog ¶
func (m MessageFields) MarshalTextLog(t jsonlog.TextlogFormatter) jsonlog.TextlogEntry
func (*MessageFields) UnmarshalJSON ¶
func (o *MessageFields) UnmarshalJSON(data []byte) error
type MftFileEntry ¶
type MftFileEntry struct {
jsonlog.ObjectHeader
Path string `json:"path" textlog:"path"`
Size int64 `json:"size" textlog:"size"`
Dir bool `json:"dir" textlog:"dir"`
Modified time.Time `json:"modified" textlog:"modified"`
Created time.Time `json:"created" textlog:"created"`
Accessed time.Time `json:"accessed" textlog:"accessed"`
Changed time.Time `json:"changed" textlog:"changed"`
Filename string `json:"filename" textlog:"filename"`
Deleted bool `json:"deleted,omitempty" textlog:"deleted,omitempty"`
Flags *uint64 `json:"flags,omitempty" textlog:"flags,omitempty"`
}
func NewMftFileEntry ¶
func NewMftFileEntry() *MftFileEntry
type MountInfo ¶
type MountInfo struct {
// FSType is the filesystem that is mounted, e.g. ext4, ntfs, etc.
FSType string `json:"fs_type"`
// Source is the OS description of the source of the mount.
// This can differ greatly between OSes and filesystems.
// For example, on Linux, for local partitions, this is the device path.
Source string `json:"source"`
// Target is the path where the filesystem is mounted.
Target string `json:"target"`
// Class is the class of the mount, e.g. local, network, removable, etc.
// This determines how the mount is treated by THOR.
// It is not innately part of the mount information, but is determined by THOR.
Class string `json:"class"`
}
type MsOfficeConnectionCacheEntry ¶
type MsOfficeConnectionCacheEntry struct {
jsonlog.ObjectHeader
Entry string `json:"entry" textlog:"entry"`
Modified time.Time `json:"modified" textlog:"modified"`
Key string `json:"key" textlog:"key"`
}
func NewMsOfficeConnectionCacheEntry ¶
func NewMsOfficeConnectionCacheEntry() *MsOfficeConnectionCacheEntry
type NetworkConnectingThread ¶
type NetworkConnectingThread struct {
jsonlog.ObjectHeader
ThreadId uint32 `json:"thread_id" textlog:"thread_id"`
Process *Process `json:"process" textlog:",expand"`
CallbackInterval time.Duration `json:"callback_interval" textlog:"callback_interval"`
Connections NetworkConnections `json:"connections" textlog:"connections"`
}
func NewNetworkConnectingThread ¶
func NewNetworkConnectingThread(threadId uint32, process *Process) *NetworkConnectingThread
type NetworkConnection ¶
func (NetworkConnection) String ¶
func (n NetworkConnection) String() string
type NetworkConnections ¶
type NetworkConnections []NetworkConnection
func (NetworkConnections) String ¶
func (n NetworkConnections) String() string
type NetworkSession ¶
type NetworkSession struct {
LogObjectHeader
Client string `json:"client" textlog:"client"`
Username string `json:"user_name" textlog:"username"`
ClientType string `json:"client_type" textlog:"client_type"`
Active time.Duration `json:"active" textlog:"active"`
Idle time.Duration `json:"idle" textlog:"idle"`
NumOpens int `json:"num_opens" textlog:"num_opens"`
}
func NewNetworkSession ¶
func NewNetworkSession() *NetworkSession
type NetworkShare ¶
type NetworkShare struct {
}
func NewNetworkShare ¶
func NewNetworkShare(name, path string) *NetworkShare
type PSMacEntry ¶
type PSMacEntry struct {
jsonlog.ObjectHeader
Path string `json:"path" textlog:"path"`
Command string `json:"command" textlog:"command"`
}
func NewModuleAnalysisCacheEntry ¶
func NewModuleAnalysisCacheEntry() *PSMacEntry
type PeInfo ¶
type PeInfo struct {
Company string `json:"company" textlog:"company,omitempty"`
FileDescription string `json:"description" textlog:"description,omitempty"`
LegalCopyright string `json:"legal_copyright" textlog:"legal_copyright,omitempty"`
Product string `json:"product" textlog:"product,omitempty"`
OriginalName string `json:"original_name" textlog:"original_name,omitempty"`
InternalName string `json:"internal_name" textlog:"internal_name,omitempty"`
Signed bool `json:"signed" textlog:"signed"`
Signatures []SignatureInfo `json:"signatures" textlog:",expand" jsonschema:"nullable"`
Imphash string `json:"imphash" textlog:"imphash,omitempty"`
RichHeaderHash string `json:"rich_header_hash"`
CreationTimestamp time.Time `json:"creation_timestamp"`
}
type PeSieveReport ¶
type PeSieveReport struct {
SuspiciousSections int `json:"suspicious_sections" textlog:"suspicious_sections"`
Replaced int `json:"replaced" textlog:"replaced"`
HdrMod int `json:"hdr_mod" textlog:"hdr_mod"`
UnreachableFile int `json:"unreachable_file" textlog:"unreachable_file"`
Patched int `json:"patched" textlog:"patched"`
IatHooked int `json:"iat_hooked" textlog:"iat_hooked"`
Implanted int `json:"implanted" textlog:"implanted"`
Other int `json:"other" textlog:"other"`
Skipped int `json:"skipped" textlog:"skipped"`
Errors int `json:"errors" textlog:"errors"`
}
type PermissionMask ¶
type PermissionMask struct {
User RwxPermissions `json:"user"`
Group RwxPermissions `json:"group"`
World RwxPermissions `json:"world"`
}
func (PermissionMask) String ¶
func (p PermissionMask) String() string
type Permissions ¶
type PlatformInfo ¶
type PlatformInfoLinux ¶
type PlatformInfoLinux struct {
jsonlog.ObjectHeader
Name string `json:"name" textlog:"name"`
KernelName string `json:"kernel_name" textlog:"kernel_name"`
KernelVersion string `json:"kernel_version" textlog:"kernel_version"`
Proc string `json:"proc" textlog:"proc"`
Arch string `json:"arch" textlog:"arch"`
}
func NewLinuxPlatformInfo ¶
func NewLinuxPlatformInfo() *PlatformInfoLinux
type PlatformInfoMacos ¶
type PlatformInfoMacos struct {
jsonlog.ObjectHeader
Name string `json:"name" textlog:"name"`
Version string `json:"version" textlog:"version"`
KernelName string `json:"kernel_name" textlog:"kernel_name"`
KernelVersion string `json:"kernel_version" textlog:"kernel_version"`
Proc string `json:"proc" textlog:"proc"`
Arch string `json:"arch" textlog:"arch"`
}
func NewMacOSPlatformInfo ¶
func NewMacOSPlatformInfo() *PlatformInfoMacos
type PlatformInfoWindows ¶
type PlatformInfoWindows struct {
jsonlog.ObjectHeader
Name string `json:"name" textlog:"name"`
Type string `json:"type" textlog:"type"`
Version string `json:"version" textlog:"version"`
Proc string `json:"proc" textlog:"proc"`
Arch string `json:"arch" textlog:"arch"`
InstalledOn time.Time `json:"installed_on" textlog:"installed_on"`
BuildNumber string `json:"build_number" textlog:"build_number"`
}
func NewWindowsPlatformInfo ¶
func NewWindowsPlatformInfo() *PlatformInfoWindows
type PluginFinding ¶
type PluginFinding struct {
LogObjectHeader
Plugin string `json:"plugin" textlog:"-"`
LogDetails MessageFields `json:"details" textlog:",expand"`
}
func NewPluginFinding ¶
func NewPluginFinding(plugin string) *PluginFinding
type PluginString ¶
type PluginString struct {
jsonlog.ObjectHeader
Plugin string `json:"plugin" textlog:"-"`
String string `json:"string" textlog:"string"`
}
func NewPluginString ¶
func NewPluginString(plugin string) *PluginString
type PluginStructuredData ¶
type PluginStructuredData struct {
jsonlog.ObjectHeader
Plugin string `json:"plugin" textlog:"-"`
Data KeyValueList `json:"data" textlog:",inline"`
}
func NewPluginStructuredData ¶
func NewPluginStructuredData(plugin string) *PluginStructuredData
type PrefetchInfo ¶
type PrefetchInfo struct {
jsonlog.ObjectHeader
Executable *File `json:"executable" textlog:"executable,expand"`
ExecutionTimes ExecutionTimes `json:"execution_times" textlog:",expand"`
ExecutionCount int `json:"execution_count" textlog:"execution_count"`
AccessedFiles []string `json:"accessed_files" textlog:"-"`
}
PrefetchInfo contains information about a Windows Prefetch file.
Prefetch files are used by Windows to speed up the startup of applications. They contain information about an executable such as: - The path to the executable - The times the executable was run - The number of times the executable was run - Files accessed by the executable
Prefetch files are located in the C:\Windows\Prefetch directory and have the .pf file extension. They rotate, meaning that older prefetch files are deleted when the number of prefetch files exceeds a certain limit.
func NewPrefetchInfo ¶
func NewPrefetchInfo() *PrefetchInfo
type Process ¶
type Process struct {
jsonlog.ObjectHeader
Pid int32 `json:"pid" textlog:"pid"`
Dead bool `json:"dead,omitempty" textlog:"dead,omitempty"`
// Only filled if dead is false
ProcessInfo `textlog:",expand,omitempty"`
// BeaconConfig contains information about a Cobalt Strike Beacon if the process contains one.
BeaconConfig *BeaconConfig `json:"beacon_config,omitempty" textlog:"beacon,expand,omitempty"`
// PeSieveReport contains information from PE-Sieve about the process, if any exists.
PeSieveReport *PeSieveReport `json:"pe_sieve,omitempty" textlog:"pe_sieve,expand,omitempty"`
}
func NewProcess ¶
type ProcessConnection ¶
type ProcessConnection struct {
Fd uint32 `json:"-" textlog:"-"`
// Status is the connection status, e.g. ESTABLISHED, LISTEN, etc.
Status string `json:"status" textlog:"-"`
Ip string `json:"ip" textlog:"ip"`
Port uint32 `json:"port" textlog:"port"`
RemoteIp string `json:"remote_ip,omitempty" textlog:"rip,omitempty"`
RemotePort uint32 `json:"remote_port,omitempty" textlog:"rport,omitempty"`
// Protocol is the layer 4 protocol used for the connection, e.g. TCP, UDP, etc.
Protocol string `json:"protocol,omitempty" textlog:"protocol,omitempty"`
}
type ProcessConnectionObject ¶
type ProcessConnectionObject struct {
jsonlog.ObjectHeader
ProcessConnection
}
func NewProcessConnection ¶
func NewProcessConnection() *ProcessConnectionObject
type ProcessConnections ¶
type ProcessConnections struct {
ListenPorts ProcessListenPorts `json:"listen_ports" textlog:"listen_ports,omitempty" jsonschema:"nullable"`
Connections []ProcessConnection `json:"connections" textlog:"-" jsonschema:"nullable"`
ConnectionCount int `json:"-" textlog:"connection_count"`
}
type ProcessHandle ¶
type ProcessHandle struct {
jsonlog.ObjectHeader
Name string `json:"name" textlog:"name"`
Handle uint64 `json:"handle" textlog:"handle,omitempty"`
Type string `json:"type,omitempty" textlog:"type,omitempty"`
}
func NewProcessHandle ¶
func NewProcessHandle() *ProcessHandle
type ProcessInfo ¶
type ProcessInfo struct {
Name string `json:"name" textlog:"name"`
Cmdline string `json:"command" textlog:"command"`
User string `json:"owner" textlog:"owner"`
Image *File `json:"image" textlog:"image,expand"`
ParentInfo struct {
Pid int32 `json:"pid" textlog:"ppid"`
Exe string `json:"exe" textlog:"parent"`
CommandLine string `json:"command" textlog:"parent_command"`
} `json:"parent_info,omitempty" textlog:",expand,omitempty"`
ProcessTree StringList `json:"tree" textlog:"tree,omitempty" jsonschema:"nullable"`
Created time.Time `json:"created" textlog:"created"`
Session string `json:"session" textlog:"session,omitempty"`
ProcessConnections `textlog:",expand"`
Sections Sections `json:"sections,omitempty" textlog:"-"`
}
type ProcessListenPorts ¶
type ProcessListenPorts []uint32
func (ProcessListenPorts) String ¶
func (p ProcessListenPorts) String() string
type ProfileFolder ¶
type ProfileFolder struct {
LogObjectHeader
User string `json:"user" textlog:"user"`
Modified time.Time `json:"modified" textlog:"modified,omitempty"`
Created *time.Time `json:"created,omitempty" textlog:"created,omitempty"`
}
func NewProfileFolder ¶
func NewProfileFolder(user string) *ProfileFolder
type QuarantineEvent ¶
type QuarantineEvent struct {
jsonlog.ObjectHeader
Id string `json:"id" textlog:"id"`
Timestamp time.Time `json:"timestamp" textlog:"timestamp"`
Name string `json:"name" textlog:"name"`
Type string `json:"event_type" textlog:"type"`
Url string `json:"url" textlog:"url,omitempty"`
}
func NewQuarantineEvent ¶
func NewQuarantineEvent() *QuarantineEvent
type RawFirewallRule ¶
type RawFirewallRule struct {
jsonlog.ObjectHeader
Rule string `json:"rule" textlog:"rule"`
}
func NewRawFirewallRule ¶
func NewRawFirewallRule(rule string) *RawFirewallRule
type Reason ¶
type Reason struct {
jsonlog.ObjectHeader
Summary string `json:"summary" textlog:"reason"`
Signature `json:"signature" textlog:",inline"`
StringMatches MatchStrings `json:"matched" textlog:"matched" jsonschema:"nullable"`
}
func (*Reason) UnmarshalJSON ¶
type RecycleBinIndexFile ¶
type RegisteredDebugger ¶
type RegisteredDebugger struct {
jsonlog.ObjectHeader
Executable string `json:"executable" textlog:"file"`
Debugger string `json:"debugger" textlog:"element"`
}
func NewRegisteredDebugger ¶
func NewRegisteredDebugger(target string, debugger string) *RegisteredDebugger
type RegistryKey ¶
type RegistryKey struct {
jsonlog.ObjectHeader
Key string `json:"key" textlog:"key"`
Modified time.Time `json:"modified" textlog:"modified"`
FormattedValues string `json:"values" textlog:"values,omitincontext"`
}
func NewRegistryKey ¶
func NewRegistryKey() *RegistryKey
type RegistryScheduledTask ¶
type RegistryScheduledTask struct {
jsonlog.ObjectHeader
Guid string `json:"guid" textlog:"guid"`
Path string `json:"path" textlog:"path"`
Version int `json:"version" textlog:"version"`
Created time.Time `json:"created" textlog:"created"`
LastRun time.Time `json:"last_run" textlog:"last_run"`
LastStopped time.Time `json:"last_stopped" textlog:"last_stopped"`
Status string `json:"status" textlog:"status"`
LastResult string `json:"last_result" textlog:"last_result"`
}
func NewRegistryScheduledTask ¶
func NewRegistryScheduledTask() *RegistryScheduledTask
type RegistryValue ¶
type RegistryValue struct {
jsonlog.ObjectHeader
Key string `json:"key" textlog:"key"`
Modified time.Time `json:"modified" textlog:"modified"`
ParsedValue string `json:"value" textlog:"value,omitincontext"`
Size uint64 `json:"size" textlog:"size"`
}
func NewRegistryValue ¶
func NewRegistryValue() *RegistryValue
type ReportableObject ¶
type RwxPermissions ¶
type RwxPermissions struct {
Readable bool `json:"readable"`
Writable bool `json:"writable"`
Executable bool `json:"executable"`
}
func (RwxPermissions) String ¶
func (r RwxPermissions) String() string
type SRUMResourceUsageEntry ¶
type SRUMResourceUsageEntry struct {
jsonlog.ObjectHeader
// TimeStamp is when the resource usage measurement was recorded by SRUM.
// This represents the end time of the measurement period (typically hourly).
TimeStamp time.Time `json:"timestamp" textlog:"timestamp"`
// AppInfo contains the application path or executable name extracted from the
// SruDbIdMapTable.IdBlob field. This identifies which application the resource
// usage data belongs to (e.g., "C:\Windows\System32\notepad.exe").
AppInfo string `json:"app_info" textlog:"app_info"`
// UserSID is the Windows Security Identifier string parsed from the binary SID
// stored in SruDbIdMapTable.IdBlob. This identifies which user account was
// running the application (e.g., "S-1-5-21-...").
UserSID string `json:"user_sid" textlog:"user_sid"`
// UserName is the human-readable username resolved from the UserSID.
// May be empty if the SID cannot be resolved to a username.
UserName string `json:"user_name,omitempty" textlog:"user_name,omitempty"`
// FaceTime is the total duration that the application was visible
// to the user (in the foreground) during the measurement period. This indicates
// actual user interaction time with the application.
FaceTime time.Duration `json:"face_time" textlog:"face_time"`
// ForegroundBytesRead is the total number of bytes read from disk/storage
// while the application was in the foreground during the measurement period.
ForegroundBytesRead uint64 `json:"foreground_bytes_read" textlog:"foreground_bytes_read"`
// ForegroundBytesWritten is the total number of bytes written to disk/storage
// while the application was in the foreground during the measurement period.
ForegroundBytesWritten uint64 `json:"foreground_bytes_written" textlog:"foreground_bytes_written"`
// ForegroundNumReadOperations is the count of discrete read I/O operations
// performed while the application was in the foreground. This differs from
// bytes read as it counts individual operations regardless of size.
ForegroundNumReadOperations uint64 `json:"foreground_num_read_operations" textlog:"foreground_num_read_operations"`
// ForegroundNumWriteOperations is the count of discrete write I/O operations
// performed while the application was in the foreground. This differs from
// bytes written as it counts individual operations regardless of size.
ForegroundNumWriteOperations uint64 `json:"foreground_num_write_operations" textlog:"foreground_num_write_operations"`
// BackgroundBytesRead is the total number of bytes read from disk/storage
// while the application was running in the background during the measurement period.
BackgroundBytesRead uint64 `json:"background_bytes_read" textlog:"background_bytes_read"`
// BackgroundBytesWritten is the total number of bytes written to disk/storage
// while the application was running in the background during the measurement period.
BackgroundBytesWritten uint64 `json:"background_bytes_written" textlog:"background_bytes_written"`
// BackgroundNumReadOperations is the count of discrete read I/O operations
// performed while the application was running in the background. This differs
// from bytes read as it counts individual operations regardless of size.
BackgroundNumReadOperations uint64 `json:"background_num_read_operations" textlog:"background_num_read_operations"`
// BackgroundNumWriteOperations is the count of discrete write I/O operations
// performed while the application was running in the background. This differs
// from bytes written as it counts individual operations regardless of size.
BackgroundNumWriteOperations uint64 `json:"background_num_write_operations" textlog:"background_num_write_operations"`
}
SRUMResourceUsageEntry holds information about a single entry of a System Resource Usage Monitor (SRUM) database. These databases are written by the SRUM service which collects and aggregates system resource usage data such as network activity, energy consumption, and application usage.
Reference: https://www.forensafe.com/blogs/srudb.html
A SRUMResourceUsageEntry represents a single entry in the "Application Resource Usage" table ({D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}) enriched with AppInfo, UserSID and UserName from the "SruDbIdMapTable" table. Each entry represents a snapshot of resource usage for a specific application and user combination at a given time.
Columns in {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} (19): Id Name Type 2 TimeStamp DateTime 7 FaceTime Long long 10 ForegroundBytesRead Long long 11 ForegroundBytesWritten Long long 12 ForegroundNumReadOperations Long long 13 ForegroundNumWriteOperations Long long 15 BackgroundBytesRead Long long 16 BackgroundBytesWritten Long long 17 BackgroundNumReadOperations Long long 18 BackgroundNumWriteOperations Long long
Columns in SruDbIdMapTable (3): Id Name Type 1 IdType Signed byte 2 IdIndex Signed long 256 IdBlob Long Binary
func NewSRUMResourceUsageEntry ¶
func NewSRUMResourceUsageEntry() *SRUMResourceUsageEntry
type ScanInfo ¶
type ScanInfo struct {
jsonlog.ObjectHeader
Versions VersionInfo `json:"versions" textlog:",expand"`
Arguments SpaceSeparatedList `json:"arguments" textlog:"arguments"`
ScanID string `json:"scan_id" textlog:"scan_id"`
ThorDir string `json:"thor_dir" textlog:"thor_dir"`
User string `json:"user" textlog:"user"`
Elevated bool `json:"elevated" textlog:"elevated"`
Outputs []ScannerOutput `json:"outputs"`
ActiveModules []string `json:"active_modules"`
ActiveFeatures []string `json:"active_features"`
License LicenseInfo `json:"license" textlog:"license,expand"`
FpFilters []string `json:"fp_filters"`
}
func NewScanInfo ¶
func NewScanInfo() *ScanInfo
type ScannerOutput ¶
type ScheduledTask ¶
type ScheduledTask struct {
LogObjectHeader
Name string `json:"name" textlog:"name"`
Path string `json:"path" textlog:"path"`
Command string `json:"command" textlog:"command"`
Enabled bool `json:"enabled" textlog:"enabled"`
LastRun time.Time `json:"last_run,omitzero" textlog:"lastrun,omitempty"`
NextRun time.Time `json:"next_run,omitzero" textlog:"nextrun,omitempty"`
}
func NewScheduledTask ¶
func NewScheduledTask() *ScheduledTask
type SdbEntry ¶
type SdbEntry struct {
jsonlog.ObjectHeader
Entry KeyValueList `json:"entry" textlog:"entry"`
}
func NewSdbEntry ¶
func NewSdbEntry() *SdbEntry
type SdnQueryEntry ¶
type SdnQueryEntry struct {
jsonlog.ObjectHeader
Time time.Time `json:"time" textlog:"time"`
Filepath string `json:"file" textlog:"file"`
Sha1 string `json:"sha1" textlog:"sha1"`
Sha256 string `json:"sha256" textlog:"sha256"`
}
SdnQueryEntry represents an event in the Microsoft Protection Log that lists a query to the Smart Data Network.
func NewSdnQueryEntry ¶
type Section ¶
type Section struct {
// Name of the section. For sections from loaded libraries, this is the library's file path.
// For other memory ranges, this is OS specific and may be empty.
Name string `json:"name"`
// Address is the start address of the section in the process's virtual memory.
Address uint64 `json:"address"`
// Size is the size of the section in bytes.
Size uint64 `json:"size" textlog:"size"`
// Offset is the offset within the mapped file or library, if this section
// corresponds to a file section. If this section does not correspond to a file,
// this is empty.
Offset uint64 `json:"offset,omitempty"`
// SparseData contains a sparse representation of the section's data.
// Only the interesting parts of the section are included, typically those that have been matched.
SparseData *SparseData `json:"sparse_data,omitempty"`
// Permissions of the section.
Permissions RwxPermissions `json:"permissions"`
}
Section describes a memory range in a process's virtual memory. This typically corresponds to a section in an executable file or library, such as .text, .data, etc., or a stack, heap, or similar. In Linux terms: it corresponds to a line in /proc/<pid>/maps.
type ShellbagEntry ¶
type ShellbagEntry struct {
LogObjectHeader
Path string `json:"path" textlog:"path"`
Name string `json:"name" textlog:"name"`
DateAccess time.Time `json:"date_access" textlog:"date_access"`
}
func NewShellbagEntry ¶
func NewShellbagEntry() *ShellbagEntry
type ShimCache ¶
type ShimCache struct {
jsonlog.ObjectHeader
Entries int `json:"entries" textlog:"entries"`
LastKnownEntries int `json:"last_known_entries" textlog:"previous_entries,omitempty"`
}
func NewShimCache ¶
func NewShimCache() *ShimCache
type ShimCacheEntry ¶
type ShimCacheEntry struct {
jsonlog.ObjectHeader
Timestamp time.Time `json:"timestamp" textlog:"timestamp"`
ExecFlag *bool `json:"exec_flag" textlog:"exec_flag,omitempty"`
Path string `json:"path" textlog:"path"`
}
func NewShimCacheEntry ¶
func NewShimCacheEntry() *ShimCacheEntry
type Sigclass ¶
type Sigclass string
const ( ClassFilenameIOC Sigclass = "Filename IOC" ClassNamedPipeIOC Sigclass = "Named Pipe IOC" ClassYaraRule Sigclass = "YARA Rule" ClassSigmaRule Sigclass = "Sigma Rule" ClassStixIOC Sigclass = "STIX IOC" ClassInternalHeuristic Sigclass = "Internal Heuristic" ClassHashIOC Sigclass = "Hash IOC" ClassKeywordIOC Sigclass = "Keyword IOC" ClassC2IOC Sigclass = "Domain IOC" ClassHandleIOC Sigclass = "Handle IOC" )
type Signature ¶
type Signature struct {
Score int64 `json:"score" textlog:"subscore"`
Ref StringList `json:"ref" textlog:"ref" jsonschema:"nullable"`
Type Sigtype `json:"origin" textlog:"sigtype"`
Class Sigclass `json:"kind" textlog:"sigclass"`
Date string `json:"date,omitempty" textlog:"ruledate,omitempty"`
Tags StringList `json:"tags,omitempty" textlog:"tags,omitempty" jsonschema:"nullable"`
Rulename string `json:"rule_name,omitempty" textlog:"rulename,omitempty"`
LongDescription string `json:"description,omitempty" textlog:"description,omitempty"`
Author string `json:"author,omitempty" textlog:"author,omitempty"`
RuleId string `json:"id,omitempty" textlog:"id"`
FalsePositives StringList `json:"false_positives,omitempty" textlog:"falsepositives,omitempty" jsonschema:"nullable"`
}
type SignatureInfo ¶
type Sigtype ¶
type Sigtype int
func (Sigtype) JSONSchemaAlias ¶
func (Sigtype) MarshalJSON ¶
func (*Sigtype) UnmarshalJSON ¶
type SpaceSeparatedList ¶
type SpaceSeparatedList []string
func (SpaceSeparatedList) String ¶
func (s SpaceSeparatedList) String() string
type SparseData ¶
type SparseData struct {
jsonlog.ObjectHeader
// Elements is a list of sparse data elements that contain the actual data.
// Each element has an offset within the block and the data that is present at that offset.
// Elements are ordered by their offset, and are guaranteed to be non-overlapping.
Elements []SparseDataElement `json:"elements" jsonschema:"nullable"`
// Length is the length of the block where the sparse elements reside in.
// In other words, all Elements are within an address range of [0, Length).
Length int64 `json:"length"`
}
SparseData is a log object that represents a sparse data structure. SparseData represents a selection of data from a large data block (e.g.: a file's content) that is not fully contained in the log.
Not all parts of the full data structure are necessarily contained in the sparse data, typically based on how much data is relevant for the analysis.
func NewSparseData ¶
func NewSparseData() *SparseData
func (SparseData) String ¶
func (s SparseData) String() string
type SparseDataElement ¶
type SparseDataElement struct {
Offset uint64 `json:"offset"`
Data InvalidUnicodeString `json:"data"`
}
type StringList ¶
type StringList []string
func (StringList) RelativeJsonPointer ¶
func (s StringList) RelativeJsonPointer(pointee any) jsonpointer.Pointer
func (StringList) RelativeTextPointer ¶
func (s StringList) RelativeTextPointer(pointee any) (string, bool)
func (StringList) String ¶
func (s StringList) String() string
type SystemType ¶
type SystemType string
const ( SystemTypeServer SystemType = "Server" SystemTypeWorkstation SystemType = "Workstation" SystemTypeDomainController SystemType = "Domain Controller" )
type SystemdService ¶
type SystemdService struct {
LogObjectHeader
Command string `json:"command" textlog:"command"`
RunAsUser string `json:"run_as_user" textlog:"run_as_user"`
RunAsGroup string `json:"run_as_group" textlog:"run_as_group"`
Unit *File `json:"unit" textlog:"unit,expand"`
Image *File `json:"image" textlog:"image,expand"`
}
func NewSystemdService ¶
func NewSystemdService() *SystemdService
type TeamViewerPassword ¶
type TeamViewerPassword struct {
jsonlog.ObjectHeader
Password string `json:"password" textlog:"password"`
Name string `json:"name" textlog:"name"`
}
func NewTeamViewerPassword ¶
func NewTeamViewerPassword() *TeamViewerPassword
type Thread ¶
type Thread struct {
jsonlog.ObjectHeader
ThreadId uint32 `json:"id"`
Stack StringList `json:"stack" jsonschema:"nullable"`
}
type TomcatUser ¶
type TomcatUser struct {
jsonlog.ObjectHeader
User string `json:"user" textlog:"user"`
}
func NewTomcatUser ¶
func NewTomcatUser(user string) *TomcatUser
type UALEntry ¶
type UALEntry struct {
jsonlog.ObjectHeader
// AuthenticatedUserName is the user name on the client that accompanies the UAL
// entries from installed roles and products, if applicable.
AuthenticatedUserName string `json:"authenticated_user_name" textlog:"authenticated_user_name"`
// Address is the IP address of a client device that is used to access a role or
// service.
Address string `json:"address" textlog:"address"`
// TotalAccesses is the number of times a particular user accessed a role or service.
TotalAccesses uint32 `json:"total_accesses" textlog:"total_accesses"`
// RoleGuid is the UAL assigned or registered GUID that represents the server role or
// installed product.
RoleGuid uuid.UUID `json:"role_guid" textlog:"role_guid"`
// RoleName is the name of the role, component, or subproduct that is providing UAL
// data.
RoleName string `json:"role_name,omitempty" textlog:"role_name,omitempty"`
// ProductName is the name of the software parent product, such as Windows, that is
// providing UAL data. The value can be a GUID or a human-readable string.
ProductName string `json:"product_name,omitempty" textlog:"product_name,omitempty"`
// TenantId is a unique GUID for a tenant client of an installed role or product that
// accompanies the UAL data, if applicable.
TenantId uuid.UUID `json:"tenant_id" textlog:"tenant_id"`
// InsertDate is the date and time when an IP address was first used to access a role
// or service.
InsertDate time.Time `json:"insert_date" textlog:"insert_date"`
// LastAccess is the date and time when an IP address was last used to access a role
// or service.
LastAccess time.Time `json:"last_access" textlog:"last_access"`
// ClientName. Usually unset.
ClientName string `json:"client_name,omitempty" textlog:"client_name,omitempty"`
// AccessesByDay is a map of the number of accesses per day of the year.
AccessesByDay map[int]uint16 `json:"accesses_by_day" textlog:"-"`
}
UALEntry holds information about a single entry of a User Access Log (UAL) database. These databases are written by the User Access Logging service which aggregates client usage data by roles and products.
A UALEntry represents a single entry in the CLIENTS table, possibly enriched with role details in the ROLE_IDS table of an accompanying SystemIdentity.mdb file.
from Current.mdb or <GUID>.mdb:
Table: 6 CLIENTS (10)
Number of columns: 374
Column Identifier Name Type
1 1 RoleGuid GUID
2 2 TenantId GUID
3 3 TotalAccesses Integer 32-bit unsigned
4 4 InsertDate Date and time
5 5 LastAccess Date and time
6 128 Address Binary data
7 256 AuthenticatedUserName Large text
8 257 ClientName Large text
9 258 Day1 Integer 16-bit unsigned
10 259 Day2 Integer 16-bit unsigned
11 260 Day3 Integer 16-bit unsigned
...
from SystemIdentity.mdb:
Table: 7 ROLE_IDS (12)
Number of columns: 3
Column Identifier Name Type
1 1 RoleGuid GUID
2 256 ProductName Large text
3 257 RoleName Large text
func NewUALEntry ¶
func NewUALEntry() *UALEntry
type UnixPermissions ¶
type UnixPermissions struct {
LogObjectHeader
Owner string `json:"owner" textlog:"owner"` // FIXME: Could explicitly include name / UID
Group string `json:"group" textlog:"group"` // FIXME: Could explicitly include name / GID
Mask PermissionMask `json:"permissions" textlog:"permissions"`
}
func NewUnixPermissions ¶
func NewUnixPermissions() *UnixPermissions
func (UnixPermissions) String ¶
func (p UnixPermissions) String() string
type UnixUser ¶
type UnixUser struct {
LogObjectHeader
Name string `json:"name" textlog:"name"`
Uid string `json:"uid" textlog:"userid"`
Gid string `json:"gid" textlog:"groupid"`
FullName string `json:"full_name" textlog:"full_name"`
Home string `json:"home" textlog:"home"`
Shell string `json:"shell" textlog:"shell"`
Crontab string `json:"crontab" textlog:"-"`
AccessFiles []string `json:"access_files" textlog:"-" jsonschema:"nullable"`
}
func NewUnixUser ¶
type UnknownObject ¶
type UnknownObject struct {
jsonlog.ObjectHeader
Data map[string]any
}
UnknownObject is a log object that is not known to the parser.
func (UnknownObject) MarshalTextLog ¶
func (u UnknownObject) MarshalTextLog(f jsonlog.TextlogFormatter) (jsonlog.TextlogEntry, error)
func (*UnknownObject) UnmarshalJSON ¶
func (u *UnknownObject) UnmarshalJSON(data []byte) error
type UsnEntry ¶
type UsnEntry struct {
LogObjectHeader
EventTime time.Time `json:"event_time" textlog:"event_time"`
Filename string `json:"filename" textlog:"filename"`
Reasons StringList `json:"reasons" textlog:"reason"`
}
func NewUsnEntry ¶
func NewUsnEntry() *UsnEntry
type VersionInfo ¶
type VirusTotalHistory ¶
type VirusTotalHistory struct {
Names StringList `json:"names,omitempty" textlog:"names" jsonschema:"nullable"`
Tags StringList `json:"tags,omitempty" textlog:"tags" jsonschema:"nullable"`
Submissions int64 `json:"submissions,omitempty" textlog:"submissions"`
FirstSubmission *time.Time `json:"first_submission,omitempty" textlog:"first_submission,omitempty"`
LastSubmission *time.Time `json:"last_submission,omitempty" textlog:"last_submission,omitempty"`
}
type VirusTotalInformation ¶
type VirusTotalInformation struct {
LookupResult string `json:"result" textlog:"result"`
PositiveVerdicts int64 `json:"positive_verdicts" textlog:"verdicts"`
TotalVerdicts int64 `json:"total_verdicts"`
History *VirusTotalHistory `json:"history,omitempty" textlog:",omitempty,expand"`
}
type WebDownload ¶
type WebDownload struct {
jsonlog.ObjectHeader
// URL is the URL of the downloaded file.
URL string `json:"url" textlog:"url"`
// Time is the time when the download was started.
Time time.Time `json:"time" textlog:"time"`
// File contains the information about the downloaded file.
File *File `json:"file" textlog:"file,expand"`
}
WebDownload is a log object that represents a web download.
The download is not guaranteed to be complete or successful.
func NewWebDownload ¶
func NewWebDownload() *WebDownload
type WebPageVisit ¶
type WebPageVisit struct {
jsonlog.ObjectHeader
URL string `json:"url" textlog:"url"`
Time time.Time `json:"time" textlog:"time"`
// Title is the title of the visited page.
Title string `json:"title" textlog:"title"`
}
WebPageVisit is a log object that represents a web page visit.
The visit may also have been triggered indirectly (e.g. a JavaScript file that was loaded).
func NewWebVisit ¶
func NewWebVisit() *WebPageVisit
type WerCrashReport ¶
type WerCrashReport struct {
Type string `json:"-" textlog:"-"`
Exe string `json:"exe" textlog:"exe"`
Date time.Time `json:"date" textlog:"date"`
AppPath string `json:"app_path" textlog:"apppath"`
Error string `json:"error" textlog:"error"`
FaultModule string `json:"fault_in_module" textlog:"fault_in_module"`
}
type WindowsEvent ¶
type WindowsEvent struct {
LogObjectHeader
Event string `json:"event" textlog:"event"`
}
func NewWindowsEvent ¶
func NewWindowsEvent(event string) *WindowsEvent
type WindowsEventlogEntry ¶
type WindowsEventlogEntry struct {
jsonlog.ObjectHeader
EventId uint16 `json:"-" textlog:"event_id"`
EventLevel int `json:"-" textlog:"event_level"`
EventTime time.Time `json:"-" textlog:"event_time"`
EventChannel string `json:"-" textlog:"event_channel,omitempty"`
EventComputer string `json:"-" textlog:"event_computer,omitempty"`
Entry KeyValueList `json:"entry" textlog:"entry"`
}
func NewEventlogEntry ¶
func NewEventlogEntry() *WindowsEventlogEntry
type WindowsMutex ¶
type WindowsMutex struct {
LogObjectHeader
Mutex string `json:"mutex" textlog:"mutex"`
}
func NewWindowsMutex ¶
func NewWindowsMutex(mutex string) *WindowsMutex
type WindowsPermissions ¶
type WindowsPermissions struct {
LogObjectHeader
Owner string `json:"owner" textlog:"owner"` // FIXME: Could include information like the original SID
Permissions AclEntries `json:"permissions" textlog:"permissions" jsonschema:"nullable"`
}
func NewWindowsPermissions ¶
func NewWindowsPermissions() *WindowsPermissions
func (WindowsPermissions) String ¶
func (p WindowsPermissions) String() string
type WindowsPipe ¶
type WindowsPipe struct {
LogObjectHeader
Pipe string `json:"pipe" textlog:"pipe"`
}
func NewWindowsPipe ¶
func NewWindowsPipe(pipe string) *WindowsPipe
type WindowsPipeList ¶
type WindowsPipeList struct {
jsonlog.ObjectHeader
Pipes StringList `json:"pipes" textlog:"pipes"`
}
func NewWindowsPipeList ¶
func NewWindowsPipeList() *WindowsPipeList
type WindowsService ¶
type WindowsService struct {
LogObjectHeader
Key string `json:"key" textlog:"key"`
KeyName string `json:"key_name" textlog:"key_name"`
ServiceName string `json:"service_name" textlog:"service_name"`
Modified time.Time `json:"modified" textlog:"modified"`
StartType string `json:"start_type" textlog:"start_type"`
ServiceType string `json:"service_type" textlog:"service_type"`
User string `json:"user" textlog:"user"`
Description string `json:"description" textlog:"description"`
FailureCommand string `json:"failure_command" textlog:"failure_command,omitempty"`
Image *File `json:"image" textlog:"image,expand"`
}
func NewWindowsService ¶
func NewWindowsService() *WindowsService
type WindowsUser ¶
type WindowsUser struct {
LogObjectHeader
User string `json:"user" textlog:"user"`
FullName string `json:"full_name" textlog:"full_name"`
IsAdmin bool `json:"is_admin" textlog:"is_admin"`
LastLogon time.Time `json:"last_logon" textlog:"last_logon"`
BadPasswordCount int `json:"bad_password_count" textlog:"bad_password_count"`
NumberOfLogons int `json:"num_logons" textlog:"num_logons"`
PasswordAge HourDuration `json:"pass_age" textlog:"pass_age"`
PasswordNeverExpires bool `json:"no_expire" textlog:"no_expire"`
IsEnabled bool `json:"active" textlog:"active"`
IsLocked bool `json:"locked" textlog:"locked"`
Comment string `json:"comment" textlog:"comment"`
}
func NewWindowsUser ¶
func NewWindowsUser(user string) *WindowsUser
type WmiElement ¶
type WmiElement struct {
jsonlog.ObjectHeader
Key string `json:"key" textlog:"key"`
Filtertype string `json:"filter_type" textlog:"filtertype"`
Eventfiltername string `json:"event_filter_name" textlog:"eventfiltername"`
Eventconsumername string `json:"event_consumer_name" textlog:"eventconsumername"`
Eventfilter string `json:"event_filter" textlog:"eventfilter"`
Eventconsumer string `json:"event_consumer" textlog:"eventconsumer"`
}
func NewWmiElement ¶
func NewWmiElement() *WmiElement
type WmiStartupCommand ¶
type WmiStartupCommand struct {
jsonlog.ObjectHeader
Location string `json:"location" textlog:"location"`
Caption string `json:"caption" textlog:"caption"`
Command string `json:"command" textlog:"command"`
}
func NewWmiStartupCommand ¶
func NewWmiStartupCommand() *WmiStartupCommand
Source Files
¶
- amcache.go
- antivirus.go
- atjob.go
- auditlog.go
- authorizedkeys.go
- autorun.go
- beaconwatcher.go
- cobaltstrike.go
- common.go
- crontab.go
- deepdive.go
- dnscache.go
- doublepulsar.go
- envvar.go
- event.go
- eventlog.go
- file.go
- firewall.go
- firstbytes.go
- groupsxml.go
- hostinfo.go
- hostsfile.go
- issue.go
- journald.go
- jumplist.go
- kernelmodule.go
- knowledgedb.go
- kvlist.go
- logline.go
- lsasession.go
- matchstrings.go
- mftfile.go
- moduleanalysiscache.go
- mplog.go
- networksession.go
- networkshares.go
- objectlist.go
- patches.go
- permissions.go
- pesieve.go
- pipe.go
- plugin.go
- prefetch.go
- process.go
- processconnection.go
- processhandle.go
- quarantineevent.go
- reason.go
- registry.go
- rootkit.go
- scaninfo.go
- scheduledtask.go
- sdb.go
- service.go
- shellbag.go
- shimcache.go
- sparsedata.go
- stringlist.go
- systemresourceusagemonitor.go
- teamviewer.go
- thread.go
- tomcatusers.go
- unmarshal.go
- useraccesslog.go
- users.go
- virustotal.go
- webhistory.go
- wer.go
- winkernel.go
- wmi.go
Click to show internal directories.
Click to hide internal directories.