Implement initial detection and data structures for suspicious artifacts
This commit is contained in:
Evan Hosinski
@@ -0,0 +1,114 @@
|
||||
package suspicious
|
||||
|
||||
/*
|
||||
Suspicious
|
||||
The object used to resemble the Suspicious artifacts and activities.
|
||||
*/
|
||||
type Suspicious struct {
|
||||
Artifacts []Artifact `json:"artifacts"`
|
||||
Persistence Persistence `json:"persistence"`
|
||||
RootFolder string `json:"rootFolder"`
|
||||
Binaries []string `json:"binaries"`
|
||||
Directories []string `json:"directories"`
|
||||
Services []*Service `json:"services"`
|
||||
Processes []Process `json:"processes"`
|
||||
OutboundConnections []NetworkConnection `json:"outboundConnections"`
|
||||
AutoRuns []AutoRun `json:"autoRuns"`
|
||||
ScheduledTasks []*ScheduledTask `json:"scheduledTasks"`
|
||||
}
|
||||
|
||||
type NetworkConnection struct {
|
||||
LocalAddr string
|
||||
RemoteAddr string
|
||||
RemoteHost string
|
||||
State string
|
||||
PID string
|
||||
Process string
|
||||
}
|
||||
|
||||
/*
|
||||
Artifact
|
||||
The object used to resemble the artifacts found by the Suspicious software.
|
||||
*/
|
||||
type Artifact struct {
|
||||
Location string `json:"location"`
|
||||
Content string `json:"content"`
|
||||
SHA256 string `json:"sha256"`
|
||||
}
|
||||
|
||||
/*
|
||||
Persistence
|
||||
The object used to resemble the persistence methods used by the Suspicious software.
|
||||
*/
|
||||
type Persistence struct {
|
||||
AutoRuns []AutoRun `json:"autoRuns"`
|
||||
ScheduledTasks []ScheduledTask `json:"scheduledTasks"`
|
||||
}
|
||||
|
||||
/*
|
||||
AutoRun
|
||||
The object used to resemble the auto run methods used by the Suspicious software.
|
||||
*/
|
||||
type AutoRun struct {
|
||||
Name string `json:"name"`
|
||||
Command string `json:"command"`
|
||||
Location string `json:"location"`
|
||||
Enabled bool `json:"enabled"`
|
||||
Description string `json:"description"`
|
||||
}
|
||||
|
||||
/*
|
||||
ScheduledTask
|
||||
The object used to resemble the scheduled tasks used by the Suspicious software.
|
||||
*/
|
||||
type ScheduledTask struct {
|
||||
Name string `json:"name"`
|
||||
Author string `json:"author"`
|
||||
CreatedDate string `json:"createdDate"`
|
||||
ModifiedDate string `json:"modifiedDate"`
|
||||
Description string `json:"description"`
|
||||
State string `json:"state"`
|
||||
Enabled bool `json:"enabled"`
|
||||
LastResult string `json:"lastResult"`
|
||||
NextRun string `json:"nextRun"`
|
||||
LastRun string `json:"lastRun"`
|
||||
Path string `json:"path"`
|
||||
}
|
||||
|
||||
/*
|
||||
Process
|
||||
The object used to resemble the processes used by the Suspicious software.
|
||||
*/
|
||||
type Process struct {
|
||||
Name string `json:"name"`
|
||||
PID int `json:"pid"`
|
||||
PPID int `json:"ppid"`
|
||||
Parent string `json:"parent"`
|
||||
Args string `json:"args"`
|
||||
Created string `json:"created"`
|
||||
Path string `json:"path"`
|
||||
}
|
||||
|
||||
/*
|
||||
Service
|
||||
The object used to resemble the services used by the Suspicious software.
|
||||
*/
|
||||
type Service struct {
|
||||
Name string `json:"name"`
|
||||
DisplayName string `json:"displayName"`
|
||||
ServiceTypeRaw uint32 `json:"serviceTypeRaw"`
|
||||
ServiceType string `json:"serviceType"`
|
||||
StartTypeRaw uint32 `json:"startTypeRaw"`
|
||||
StartType string `json:"startType"`
|
||||
ErrorControlRaw uint32 `json:"errorControlRaw"`
|
||||
ErrorControl string `json:"errorControl"`
|
||||
BinaryPathName string `json:"binaryPathName"`
|
||||
LoadOrderGroup string `json:"loadOrderGroup"`
|
||||
TagId uint32 `json:"tagId"`
|
||||
Dependencies []string `json:"dependencies"`
|
||||
ServiceStartName string `json:"serviceStartName"`
|
||||
Password string `json:"password"`
|
||||
Description string `json:"description"`
|
||||
SidType uint32 `json:"sidType"`
|
||||
DelayedAutoStart bool `json:"delayedAutoStart"`
|
||||
}
|
||||
Reference in New Issue
Block a user