Documentation
¶
Index ¶
- Variables
- type ClipboardChange
- type Config
- type CreateRemoteThread
- type DnsQuery
- type DriverLoad
- type EventFilter
- type EventFiltering
- type FileCreate
- type FileCreateStreamHash
- type FileCreateTime
- type FileDelete
- type FileDeleteDetected
- type Filter
- type Filters
- type ImageLoad
- type Info
- type InnerConfig
- type NetworkConnect
- type PipeEvent
- type ProcessAccess
- type ProcessCreate
- type ProcessTampering
- type ProcessTerminate
- type RawAccessRead
- type RegistryEvent
- type RuleGroup
- type WmiEvent
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ValidOnMatch = []string{ "include", "exclude", "", } ValidGroupRelation = []string{ "and", "or", "", } ValidHashAlgorithm = []string{ "IMPHASH", "MD5", "SHA1", "SHA256", "*", "", } ErrUnknownOS = fmt.Errorf("unknown OS") ErrInvalidSchemaVersion = fmt.Errorf("invalid schema version") ErrInvalidGroupRelation = fmt.Errorf("invalid group relation") ErrInvalidCondition = fmt.Errorf("invalid condition") ErrInvalidOnMatch = fmt.Errorf("invalid onmatch") ErrInvalidHashAlgorithm = fmt.Errorf("invalid hash algorithm") )
View Source
var (
Conditions = []string{
"is",
"is not",
"contains",
"contains any",
"is any",
"contains all",
"excludes",
"excludes any",
"excludes all",
"begin with",
"not begin with",
"end with",
"not end with",
"less than",
"more than",
"image",
}
)
View Source
var (
ErrSysmonNotInstalled = fmt.Errorf("sysmon is not installed")
)
Functions ¶
This section is empty.
Types ¶
type ClipboardChange ¶
type ClipboardChange struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
Session []Filter `json:",omitempty"`
ClientInfo []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
Archived []Filter `json:",omitempty"`
}
type Config ¶
type Config struct {
sod.Item
InnerConfig
}
func AgnosticConfig ¶
func (Config) MarshalJSON ¶
type CreateRemoteThread ¶
type CreateRemoteThread struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
SourceProcessGuid []Filter `json:",omitempty"`
SourceProcessId []Filter `json:",omitempty"`
SourceImage []Filter `json:",omitempty"`
TargetProcessGuid []Filter `json:",omitempty"`
TargetProcessId []Filter `json:",omitempty"`
TargetImage []Filter `json:",omitempty"`
NewThreadId []Filter `json:",omitempty"`
StartAddress []Filter `json:",omitempty"`
StartModule []Filter `json:",omitempty"`
StartFunction []Filter `json:",omitempty"`
}
type DnsQuery ¶
type DnsQuery struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
QueryName []Filter `json:",omitempty"`
QueryStatus []Filter `json:",omitempty"`
QueryResults []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
}
type DriverLoad ¶
type DriverLoad struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ImageLoaded []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
Signed []Filter `json:",omitempty"`
Signature []Filter `json:",omitempty"`
SignatureStatus []Filter `json:",omitempty"`
}
type EventFilter ¶
type EventFilter struct {
OnMatch string `xml:"onmatch,attr,omitempty" json:"onmatch,omitempty"`
}
func (*EventFilter) Validate ¶
func (e *EventFilter) Validate() error
type EventFiltering ¶
type FileCreate ¶
type FileCreate struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetFilename []Filter `json:",omitempty"`
CreationUtcTime []Filter `json:",omitempty"`
}
type FileCreateStreamHash ¶
type FileCreateStreamHash struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetFilename []Filter `json:",omitempty"`
CreationUtcTime []Filter `json:",omitempty"`
Hash []Filter `json:",omitempty"`
Contents []Filter `json:",omitempty"`
}
type FileCreateTime ¶
type FileCreateTime struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetFilename []Filter `json:",omitempty"`
CreationUtcTime []Filter `json:",omitempty"`
PreviousCreationUtcTime []Filter `json:",omitempty"`
}
type FileDelete ¶
type FileDelete struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
User []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetFilename []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
IsExecutable []Filter `json:",omitempty"`
Archived []Filter `json:",omitempty"`
}
type FileDeleteDetected ¶
type FileDeleteDetected struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
User []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetFilename []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
IsExecutable []Filter `json:",omitempty"`
}
type Filter ¶
type Filters ¶
type Filters struct {
ProcessCreate *ProcessCreate `xml:",omitempty" json:",omitempty"`
FileCreateTime *FileCreateTime `xml:",omitempty" json:",omitempty"`
NetworkConnect *NetworkConnect `xml:",omitempty" json:",omitempty"`
ProcessTerminate *ProcessTerminate `xml:",omitempty" json:",omitempty"`
DriverLoad *DriverLoad `xml:",omitempty" json:",omitempty"`
ImageLoad *ImageLoad `xml:",omitempty" json:",omitempty"`
CreateRemoteThread *CreateRemoteThread `xml:",omitempty" json:",omitempty"`
RawAccessRead *RawAccessRead `xml:",omitempty" json:",omitempty"`
ProcessAccess *ProcessAccess `xml:",omitempty" json:",omitempty"`
FileCreate *FileCreate `xml:",omitempty" json:",omitempty"`
RegistryEvent *RegistryEvent `xml:",omitempty" json:",omitempty"`
FileCreateStreamHash *FileCreateStreamHash `xml:",omitempty" json:",omitempty"`
PipeEvent *PipeEvent `xml:",omitempty" json:",omitempty"`
WmiEvent *WmiEvent `xml:",omitempty" json:",omitempty"`
DnsQuery *DnsQuery `xml:",omitempty" json:",omitempty"`
FileDelete *FileDelete `xml:",omitempty" json:",omitempty"`
ClipboardChange *ClipboardChange `xml:",omitempty" json:",omitempty"`
ProcessTampering *ProcessTampering `xml:",omitempty" json:",omitempty"`
FileDeleteDetected *FileDeleteDetected `xml:",omitempty" json:",omitempty"`
}
type ImageLoad ¶
type ImageLoad struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
ImageLoaded []Filter `json:",omitempty"`
FileVersion []Filter `json:",omitempty"`
Description []Filter `json:",omitempty"`
Product []Filter `json:",omitempty"`
Company []Filter `json:",omitempty"`
OriginalFileName []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
Signed []Filter `json:",omitempty"`
Signature []Filter `json:",omitempty"`
SignatureStatus []Filter `json:",omitempty"`
}
type Info ¶
type Info struct {
Version string `json:"version"`
Service struct {
Name string `json:"name"`
Image string `json:"image"`
Sha256 string `json:"sha256"`
} `json:"service"`
Driver struct {
Name string `json:"name"`
Image string `json:"image"`
Sha256 string `json:"sha256"`
} `json:"driver"`
Config struct {
Version struct {
Schema string `json:"schema"`
Binary string `json:"binary"`
} `json:"version"`
Hash string `json:"hash"`
} `json:"config"`
}
type InnerConfig ¶
type InnerConfig struct {
XMLName xml.Name `xml:"Sysmon" json:"-"`
SchemaVersion string `xml:"schemaversion,attr" json:"schemaversion"`
ArchiveDirectory string `xml:",omitempty" json:",omitempty"`
CheckRevocation bool `xml:",omitempty"`
CopyOnDeletePE bool `xml:",omitempty"`
CopyOnDeleteSIDs csstrings `xml:",omitempty" json:",omitempty"`
CopyOnDeleteExtensions csstrings `xml:",omitempty" json:",omitempty"`
CopyOnDeleteProcesses csstrings `xml:",omitempty" json:",omitempty"`
DriverName string `xml:",omitempty" json:",omitempty"`
DnsLookup bool `xml:",omitempty"`
HashAlgorithms csstrings `xml:",omitempty" json:",omitempty"`
EventFiltering EventFiltering
// Don't validate Sysmon XML DTD
XmlSha256 string `xml:"-"`
OS string `xml:"-"`
}
type NetworkConnect ¶
type NetworkConnect struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
User []Filter `json:",omitempty"`
Protocol []Filter `json:",omitempty"`
Initiated []Filter `json:",omitempty"`
SourceIsIpv6 []Filter `json:",omitempty"`
SourceIp []Filter `json:",omitempty"`
SourceHostname []Filter `json:",omitempty"`
SourcePort []Filter `json:",omitempty"`
SourcePortName []Filter `json:",omitempty"`
DestinationIsIpv6 []Filter `json:",omitempty"`
DestinationIp []Filter `json:",omitempty"`
DestinationHostname []Filter `json:",omitempty"`
DestinationPort []Filter `json:",omitempty"`
DestinationPortName []Filter `json:",omitempty"`
}
type PipeEvent ¶
type PipeEvent struct {
EventFilter
RuleName []Filter `json:",omitempty"`
EventType []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
PipeName []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
}
type ProcessAccess ¶
type ProcessAccess struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
SourceProcessGUID []Filter `json:",omitempty"`
SourceProcessId []Filter `json:",omitempty"`
SourceThreadId []Filter `json:",omitempty"`
SourceImage []Filter `json:",omitempty"`
TargetProcessGUID []Filter `json:",omitempty"`
TargetProcessId []Filter `json:",omitempty"`
TargetImage []Filter `json:",omitempty"`
GrantedAccess []Filter `json:",omitempty"`
CallTrace []Filter `json:",omitempty"`
}
type ProcessCreate ¶
type ProcessCreate struct {
EventFilter
RuleName []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
FileVersion []Filter `json:",omitempty"`
Description []Filter `json:",omitempty"`
Product []Filter `json:",omitempty"`
Company []Filter `json:",omitempty"`
OriginalFileName []Filter `json:",omitempty"`
CommandLine []Filter `json:",omitempty"`
CurrentDirectory []Filter `json:",omitempty"`
User []Filter `json:",omitempty"`
LogonGuid []Filter `json:",omitempty"`
LogonId []Filter `json:",omitempty"`
TerminalSessionId []Filter `json:",omitempty"`
IntegrityLevel []Filter `json:",omitempty"`
Hashes []Filter `json:",omitempty"`
ParentProcessGuid []Filter `json:",omitempty"`
ParentProcessId []Filter `json:",omitempty"`
ParentImage []Filter `json:",omitempty"`
ParentCommandLine []Filter `json:",omitempty"`
}
type ProcessTampering ¶
type ProcessTerminate ¶
type RawAccessRead ¶
type RegistryEvent ¶
type RegistryEvent struct {
EventFilter
RuleName []Filter `json:",omitempty"`
EventType []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
ProcessGuid []Filter `json:",omitempty"`
ProcessId []Filter `json:",omitempty"`
Image []Filter `json:",omitempty"`
TargetObject []Filter `json:",omitempty"`
}
type RuleGroup ¶
type WmiEvent ¶
type WmiEvent struct {
EventFilter
RuleName []Filter `json:",omitempty"`
EventType []Filter `json:",omitempty"`
UtcTime []Filter `json:",omitempty"`
Operation []Filter `json:",omitempty"`
User []Filter `json:",omitempty"`
EventNamespace []Filter `json:",omitempty"`
Name []Filter `json:",omitempty"`
Query []Filter `json:",omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.