internal/suspicious/rmm.go

package suspicious

import (
	"encoding/json"
)

/*
Suspicious
The object used to resemble the Suspicious artifacts and activities.
*/
type Suspicious struct {
	Artifacts           []Artifact          `json:"artifacts"`
	Persistence         Persistence         `json:"persistence"`
	RootFolder          string              `json:"rootFolder"`
	Binaries            []Binary            `json:"binaries"`
	Directories         []Directory         `json:"directories"`
	Services            []*Service          `json:"services"`
	Processes           []Process           `json:"processes"`
	OutboundConnections []NetworkConnection `json:"outboundConnections"`
	AutoRuns            []AutoRun           `json:"autoRuns"`
	ScheduledTasks      []*ScheduledTask    `json:"scheduledTasks"`
}

type Binary struct {
	Path       string `json:"path"`
	Eliminated bool   `json:"eliminated,omitempty"`
}

type Directory struct {
	Path       string `json:"path"`
	Eliminated bool   `json:"eliminated,omitempty"`
}

type NetworkConnection struct {
	LocalAddr  string `json:"localAddr"`
	RemoteAddr string `json:"remoteAddr"`
	RemoteHost string `json:"remoteHost"`
	State      string `json:"state"`
	PID        string `json:"pid"`
	Process    string `json:"process"`
	Eliminated bool   `json:"eliminated,omitempty"`
}

/*
Artifact
The object used to resemble the artifacts found by the Suspicious software.
*/
type Artifact struct {
	Location string `json:"location"`
	Content  string `json:"content"`
	SHA256   string `json:"sha256"`
}

/*
Persistence
The object used to resemble the persistence methods used by the Suspicious software.
*/
type Persistence struct {
	AutoRuns       []AutoRun       `json:"autoRuns"`
	ScheduledTasks []ScheduledTask `json:"scheduledTasks"`
}

/*
AutoRun
The object used to resemble the auto run methods used by the Suspicious software.
*/
type AutoRun struct {
	Type         string `json:"type"`
	Location     string `json:"location"`
	ImagePath    string `json:"image_path"`
	ImageName    string `json:"image_name"`
	Arguments    string `json:"arguments"`
	MD5          string `json:"md5"`
	SHA1         string `json:"sha1"`
	SHA256       string `json:"sha256"`
	Entry        string `json:"entry"`
	LaunchString string `json:"launch_string"`
	Eliminated   bool   `json:"eliminated,omitempty"`
}

/*
ScheduledTask
The object used to resemble the scheduled tasks used by the Suspicious software.
*/
type ScheduledTask struct {
	Name         string `json:"name"`
	Author       string `json:"author"`
	CreatedDate  string `json:"createdDate"`
	ModifiedDate string `json:"modifiedDate"`
	Description  string `json:"description"`
	State        string `json:"state"`
	Enabled      bool   `json:"enabled"`
	LastResult   string `json:"lastResult"`
	NextRun      string `json:"nextRun"`
	LastRun      string `json:"lastRun"`
	Path         string `json:"path"`
	Eliminated   bool   `json:"eliminated,omitempty"`
}

/*
Process
The object used to resemble the processes used by the Suspicious software.
*/
type Process struct {
	Name       string `json:"name"`
	PID        int    `json:"pid"`
	PPID       int    `json:"ppid"`
	Parent     string `json:"parent"`
	Args       string `json:"args"`
	Created    string `json:"created"`
	Path       string `json:"path"`
	Eliminated bool   `json:"eliminated,omitempty"`
}

/*
Service
The object used to resemble the services used by the Suspicious software.
*/
type Service struct {
	Name             string   `json:"name"`
	DisplayName      string   `json:"displayName"`
	ServiceTypeRaw   uint32   `json:"serviceTypeRaw"`
	ServiceType      string   `json:"serviceType"`
	StartTypeRaw     uint32   `json:"startTypeRaw"`
	StartType        string   `json:"startType"`
	ErrorControlRaw  uint32   `json:"errorControlRaw"`
	ErrorControl     string   `json:"errorControl"`
	BinaryPathName   string   `json:"binaryPathName"`
	LoadOrderGroup   string   `json:"loadOrderGroup"`
	TagId            uint32   `json:"tagId"`
	Dependencies     []string `json:"dependencies"`
	ServiceStartName string   `json:"serviceStartName"`
	Password         string   `json:"password"`
	Description      string   `json:"description"`
	SidType          uint32   `json:"sidType"`
	DelayedAutoStart bool     `json:"delayedAutoStart"`
	Eliminated       bool     `json:"eliminated,omitempty"`
}

// UnmarshalJSON implements custom unmarshaling for Binary to support both string and object formats
func (b *Binary) UnmarshalJSON(data []byte) error {
	// Try to unmarshal as string first (old format)
	var str string
	if err := json.Unmarshal(data, &str); err == nil {
		b.Path = str
		b.Eliminated = false
		return nil
	}

	// Try to unmarshal as object (new format)
	type Alias Binary
	aux := &struct{ *Alias }{Alias: (*Alias)(b)}
	return json.Unmarshal(data, aux)
}

// MarshalJSON implements custom marshaling for Binary to always use object format
func (b Binary) MarshalJSON() ([]byte, error) {
	type Alias Binary
	return json.Marshal(&struct{ *Alias }{Alias: (*Alias)(&b)})
}

// UnmarshalJSON implements custom unmarshaling for Directory to support both string and object formats
func (d *Directory) UnmarshalJSON(data []byte) error {
	// Try to unmarshal as string first (old format)
	var str string
	if err := json.Unmarshal(data, &str); err == nil {
		d.Path = str
		d.Eliminated = false
		return nil
	}

	// Try to unmarshal as object (new format)
	type Alias Directory
	aux := &struct{ *Alias }{Alias: (*Alias)(d)}
	return json.Unmarshal(data, aux)
}

// MarshalJSON implements custom marshaling for Directory to always use object format
func (d Directory) MarshalJSON() ([]byte, error) {
	type Alias Directory
	return json.Marshal(&struct{ *Alias }{Alias: (*Alias)(&d)})
}
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`package suspicious`

Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			`import (`
			`"encoding/json"`
			`)`

Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`/*`
			`Suspicious`
			`The object used to resemble the Suspicious artifacts and activities.`
			`*/`
			`type Suspicious struct {`
			Artifacts []Artifact `json:"artifacts"`
			Persistence Persistence `json:"persistence"`
			RootFolder string `json:"rootFolder"`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			Binaries []Binary `json:"binaries"`
			Directories []Directory `json:"directories"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			Services []*Service `json:"services"`
			Processes []Process `json:"processes"`
			OutboundConnections []NetworkConnection `json:"outboundConnections"`
			AutoRuns []AutoRun `json:"autoRuns"`
			ScheduledTasks []*ScheduledTask `json:"scheduledTasks"`
			`}`

Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			`type Binary struct {`
			Path string `json:"path"`
			Eliminated bool `json:"eliminated,omitempty"`
			`}`

			`type Directory struct {`
			Path string `json:"path"`
			Eliminated bool `json:"eliminated,omitempty"`
			`}`

Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`type NetworkConnection struct {`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			LocalAddr string `json:"localAddr"`
			RemoteAddr string `json:"remoteAddr"`
			RemoteHost string `json:"remoteHost"`
			State string `json:"state"`
			PID string `json:"pid"`
			Process string `json:"process"`
			Eliminated bool `json:"eliminated,omitempty"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

			`/*`
			`Artifact`
			`The object used to resemble the artifacts found by the Suspicious software.`
			`*/`
			`type Artifact struct {`
			Location string `json:"location"`
			Content string `json:"content"`
			SHA256 string `json:"sha256"`
			`}`

			`/*`
			`Persistence`
			`The object used to resemble the persistence methods used by the Suspicious software.`
			`*/`
			`type Persistence struct {`
			AutoRuns []AutoRun `json:"autoRuns"`
			ScheduledTasks []ScheduledTask `json:"scheduledTasks"`
			`}`

			`/*`
			`AutoRun`
			`The object used to resemble the auto run methods used by the Suspicious software.`
			`*/`
			`type AutoRun struct {`
Refactor AutoRun detection to use Scurvy library, enhance suspicious entry checks, and update UI rendering for detailed info 2025-10-11 15:15:35 -04:00			Type string `json:"type"`
			Location string `json:"location"`
			ImagePath string `json:"image_path"`
			ImageName string `json:"image_name"`
			Arguments string `json:"arguments"`
			MD5 string `json:"md5"`
			SHA1 string `json:"sha1"`
			SHA256 string `json:"sha256"`
			Entry string `json:"entry"`
			LaunchString string `json:"launch_string"`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			Eliminated bool `json:"eliminated,omitempty"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

			`/*`
			`ScheduledTask`
			`The object used to resemble the scheduled tasks used by the Suspicious software.`
			`*/`
			`type ScheduledTask struct {`
			Name string `json:"name"`
			Author string `json:"author"`
			CreatedDate string `json:"createdDate"`
			ModifiedDate string `json:"modifiedDate"`
			Description string `json:"description"`
			State string `json:"state"`
			Enabled bool `json:"enabled"`
			LastResult string `json:"lastResult"`
			NextRun string `json:"nextRun"`
			LastRun string `json:"lastRun"`
			Path string `json:"path"`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			Eliminated bool `json:"eliminated,omitempty"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

			`/*`
			`Process`
			`The object used to resemble the processes used by the Suspicious software.`
			`*/`
			`type Process struct {`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			Name string `json:"name"`
			PID int `json:"pid"`
			PPID int `json:"ppid"`
			Parent string `json:"parent"`
			Args string `json:"args"`
			Created string `json:"created"`
			Path string `json:"path"`
			Eliminated bool `json:"eliminated,omitempty"`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`

			`/*`
			`Service`
			`The object used to resemble the services used by the Suspicious software.`
			`*/`
			`type Service struct {`
			Name string `json:"name"`
			DisplayName string `json:"displayName"`
			ServiceTypeRaw uint32 `json:"serviceTypeRaw"`
			ServiceType string `json:"serviceType"`
			StartTypeRaw uint32 `json:"startTypeRaw"`
			StartType string `json:"startType"`
			ErrorControlRaw uint32 `json:"errorControlRaw"`
			ErrorControl string `json:"errorControl"`
			BinaryPathName string `json:"binaryPathName"`
			LoadOrderGroup string `json:"loadOrderGroup"`
			TagId uint32 `json:"tagId"`
			Dependencies []string `json:"dependencies"`
			ServiceStartName string `json:"serviceStartName"`
			Password string `json:"password"`
			Description string `json:"description"`
			SidType uint32 `json:"sidType"`
			DelayedAutoStart bool `json:"delayedAutoStart"`
Refactor suspicious artifact data structures, enhance eliminated state tracking, and update UI rendering for eliminated items. Add JSON marshal/unmarshal support for `Binary` and `Directory` types. 2025-10-11 21:01:07 -04:00			Eliminated bool `json:"eliminated,omitempty"`
			`}`

			`// UnmarshalJSON implements custom unmarshaling for Binary to support both string and object formats`
			`func (b *Binary) UnmarshalJSON(data []byte) error {`
			`// Try to unmarshal as string first (old format)`
			`var str string`
			`if err := json.Unmarshal(data, &str); err == nil {`
			`b.Path = str`
			`b.Eliminated = false`
			`return nil`
			`}`

			`// Try to unmarshal as object (new format)`
			`type Alias Binary`
			`aux := &struct{ Alias }{Alias: (Alias)(b)}`
			`return json.Unmarshal(data, aux)`
			`}`

			`// MarshalJSON implements custom marshaling for Binary to always use object format`
			`func (b Binary) MarshalJSON() ([]byte, error) {`
			`type Alias Binary`
			`return json.Marshal(&struct{ Alias }{Alias: (Alias)(&b)})`
			`}`

			`// UnmarshalJSON implements custom unmarshaling for Directory to support both string and object formats`
			`func (d *Directory) UnmarshalJSON(data []byte) error {`
			`// Try to unmarshal as string first (old format)`
			`var str string`
			`if err := json.Unmarshal(data, &str); err == nil {`
			`d.Path = str`
			`d.Eliminated = false`
			`return nil`
			`}`

			`// Try to unmarshal as object (new format)`
			`type Alias Directory`
			`aux := &struct{ Alias }{Alias: (Alias)(d)}`
			`return json.Unmarshal(data, aux)`
			`}`

			`// MarshalJSON implements custom marshaling for Directory to always use object format`
			`func (d Directory) MarshalJSON() ([]byte, error) {`
			`type Alias Directory`
			`return json.Marshal(&struct{ Alias }{Alias: (Alias)(&d)})`
Implement initial detection and data structures for suspicious artifacts 2025-10-10 15:35:17 -04:00			`}`