115 lines
3.4 KiB
Go
115 lines
3.4 KiB
Go
|
package suspicious
|
||
|
|
|
||
|
|
/*
|
||
|
|
Suspicious
|
||
|
|
The object used to resemble the Suspicious artifacts and activities.
|
||
|
|
*/
|
||
|
|
type Suspicious struct {
|
||
|
|
Artifacts []Artifact `json:"artifacts"`
|
||
|
|
Persistence Persistence `json:"persistence"`
|
||
|
|
RootFolder string `json:"rootFolder"`
|
||
|
|
Binaries []string `json:"binaries"`
|
||
|
|
Directories []string `json:"directories"`
|
||
|
|
Services []*Service `json:"services"`
|
||
|
|
Processes []Process `json:"processes"`
|
||
|
|
OutboundConnections []NetworkConnection `json:"outboundConnections"`
|
||
|
|
AutoRuns []AutoRun `json:"autoRuns"`
|
||
|
|
ScheduledTasks []*ScheduledTask `json:"scheduledTasks"`
|
||
|
|
}
|
||
|
|
|
||
|
|
type NetworkConnection struct {
|
||
|
|
LocalAddr string
|
||
|
|
RemoteAddr string
|
||
|
|
RemoteHost string
|
||
|
|
State string
|
||
|
|
PID string
|
||
|
|
Process string
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
Artifact
|
||
|
|
The object used to resemble the artifacts found by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type Artifact struct {
|
||
|
|
Location string `json:"location"`
|
||
|
|
Content string `json:"content"`
|
||
|
|
SHA256 string `json:"sha256"`
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
Persistence
|
||
|
|
The object used to resemble the persistence methods used by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type Persistence struct {
|
||
|
|
AutoRuns []AutoRun `json:"autoRuns"`
|
||
|
|
ScheduledTasks []ScheduledTask `json:"scheduledTasks"`
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
AutoRun
|
||
|
|
The object used to resemble the auto run methods used by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type AutoRun struct {
|
||
|
|
Name string `json:"name"`
|
||
|
|
Command string `json:"command"`
|
||
|
|
Location string `json:"location"`
|
||
|
|
Enabled bool `json:"enabled"`
|
||
|
|
Description string `json:"description"`
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
ScheduledTask
|
||
|
|
The object used to resemble the scheduled tasks used by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type ScheduledTask struct {
|
||
|
|
Name string `json:"name"`
|
||
|
|
Author string `json:"author"`
|
||
|
|
CreatedDate string `json:"createdDate"`
|
||
|
|
ModifiedDate string `json:"modifiedDate"`
|
||
|
|
Description string `json:"description"`
|
||
|
|
State string `json:"state"`
|
||
|
|
Enabled bool `json:"enabled"`
|
||
|
|
LastResult string `json:"lastResult"`
|
||
|
|
NextRun string `json:"nextRun"`
|
||
|
|
LastRun string `json:"lastRun"`
|
||
|
|
Path string `json:"path"`
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
Process
|
||
|
|
The object used to resemble the processes used by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type Process struct {
|
||
|
|
Name string `json:"name"`
|
||
|
|
PID int `json:"pid"`
|
||
|
|
PPID int `json:"ppid"`
|
||
|
|
Parent string `json:"parent"`
|
||
|
|
Args string `json:"args"`
|
||
|
|
Created string `json:"created"`
|
||
|
|
Path string `json:"path"`
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|
||
|
|
Service
|
||
|
|
The object used to resemble the services used by the Suspicious software.
|
||
|
|
*/
|
||
|
|
type Service struct {
|
||
|
|
Name string `json:"name"`
|
||
|
|
DisplayName string `json:"displayName"`
|
||
|
|
ServiceTypeRaw uint32 `json:"serviceTypeRaw"`
|
||
|
|
ServiceType string `json:"serviceType"`
|
||
|
|
StartTypeRaw uint32 `json:"startTypeRaw"`
|
||
|
|
StartType string `json:"startType"`
|
||
|
|
ErrorControlRaw uint32 `json:"errorControlRaw"`
|
||
|
|
ErrorControl string `json:"errorControl"`
|
||
|
|
BinaryPathName string `json:"binaryPathName"`
|
||
|
|
LoadOrderGroup string `json:"loadOrderGroup"`
|
||
|
|
TagId uint32 `json:"tagId"`
|
||
|
|
Dependencies []string `json:"dependencies"`
|
||
|
|
ServiceStartName string `json:"serviceStartName"`
|
||
|
|
Password string `json:"password"`
|
||
|
|
Description string `json:"description"`
|
||
|
|
SidType uint32 `json:"sidType"`
|
||
|
|
DelayedAutoStart bool `json:"delayedAutoStart"`
|
||
|
|
}
|