Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding the Startup Application Query event class in the discovery category. #1119

Merged
merged 30 commits into from
Sep 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
9a0cc9f
The Startup Application Query event class in the discovery category i…
maxhotta Jun 25, 2024
e0eb24b
Add Changelog entry
maxhotta Jun 25, 2024
8e2cf27
Merge branch 'main' into discovery-startupapp
maxhotta Jun 25, 2024
cfbd9df
Incorporating feedback, and discussion results.
maxhotta Jul 15, 2024
4677089
Merge remote-tracking branch 'origin/discovery-startupapp' into disco…
maxhotta Jul 15, 2024
1cf72e6
Merge remote-tracking branch 'origin/main' into discovery-startupapp
maxhotta Jul 15, 2024
1520c77
Changelog update
maxhotta Jul 15, 2024
c6976aa
Merge branch 'main' into discovery-startupapp
maxhotta Jul 15, 2024
0903a9d
Update conflicting uid for new class
maxhotta Jul 15, 2024
eb3689e
Merge remote-tracking branch 'origin/discovery-startupapp' into disco…
maxhotta Jul 15, 2024
019b136
Adding win_service as a target
maxhotta Jul 22, 2024
58e15c9
Fixed validator issue for win_service
maxhotta Jul 22, 2024
9cf3dbd
Merge remote-tracking branch 'origin/main' into discovery-startupapp
maxhotta Jul 22, 2024
300deaf
Added win_service to startup_app in the windows extension to fix the …
maxhotta Jul 23, 2024
25ab7c0
Re-adding caption to fix schema validation
maxhotta Jul 23, 2024
2b90e2f
Merge remote-tracking branch 'origin/main' into discovery-startupapp
maxhotta Jul 23, 2024
82d25b7
Merge branch 'main' into discovery-startupapp
floydtree Jul 26, 2024
6f606c5
Addressing some of the feedback
maxhotta Jul 29, 2024
4cbd7c0
Merge remote-tracking branch 'origin/discovery-startupapp' into disco…
maxhotta Jul 29, 2024
4d873bd
Merge branch 'main' into discovery-startupapp
floydtree Jul 30, 2024
c68c07b
Merge branch 'main' into discovery-startupapp
floydtree Aug 13, 2024
4a8273e
Addressing feedback; fixed the convention for run mode attributes.
maxhotta Aug 15, 2024
c741c02
Addressing feedback; Removed unnecessary fields, as they are defined …
maxhotta Aug 15, 2024
62f4cf5
Updated model for exposing constraints for an extension object.
maxhotta Aug 16, 2024
fba0d09
Renamed the event class and descriptions to 'Startup Item'
maxhotta Aug 20, 2024
5052e0a
Merge from main, and moved event addition to unreleased
maxhotta Aug 20, 2024
f5b9fba
Merge from main, update uid for Startup Item event class (now conflic…
maxhotta Aug 21, 2024
5360e61
Merge from main
maxhotta Aug 27, 2024
913e83c
Merge from main, resolve conflict in changelog.md
maxhotta Aug 28, 2024
07b82ed
Merge branch 'main' into discovery-startupapp
floydtree Sep 4, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ Thankyou! -->
* #### Event Classes
1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
2. Added `Script Activity` event class to the System category. #1159
3. Added `Startup Item Query` event class. #1119

* #### Dictionary Attributes
1. Added `has_mfa` as a `boolean_t`. #1155

Expand Down
81 changes: 81 additions & 0 deletions dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -3811,6 +3811,29 @@
"description": "The rules that reported the events.",
"type": "rule"
},
"run_mode_ids": {
maxhotta marked this conversation as resolved.
Show resolved Hide resolved
"caption": "Run Mode IDs",
"description": "The list of normalized identifiers that describe application attributes when it is running. See specific usage.",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The run mode is unknown."
},
"99": {
"caption": "Other",
"description": "The run mode is not mapped. See the <code>run_modes</code> attribute, which contains data source specific values."
}
},
"is_array": true,
"sibling": "run_modes"
},
"run_modes": {
"caption": "Run Modes",
"description": "The list of run_modes, normalized to the captions of the run_mode_ids values. In the case of 'Other', they are defined by the event source. See specific usage.",
"type": "string_t",
"is_array": true
},
"run_state": {
"caption": "Run State",
"description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
Expand Down Expand Up @@ -4224,6 +4247,64 @@
"description": "The start time of a time period. See specific usage.",
"type": "timestamp_t"
},
"start_type": {
"caption": "Start Type",
"description": "The start type of a service, driver, or application.",
"type": "string_t"
},
"start_type_id": {
maxhotta marked this conversation as resolved.
Show resolved Hide resolved
"caption": "Start Type ID",
"description": "The start type ID of a service or application.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The start type is unknown."
},
"1": {
"caption": "Auto",
"description": "Service started automatically during system startup."
},
"2": {
"caption": "Boot",
"description": "Device driver started by the system loader."
},
"3": {
"caption": "On Demand",
"description": "Started on demand. For example, by the Windows Service Control Manager when a process calls the <i>StartService</i> function."
},
"4": {
"caption": "Disabled",
"description": "The service is disabled, and cannot be started."
},
"5": {
"caption": "All Logins",
"description": "Started on all user logins."
},
"6": {
"caption": "Specific User Login",
"description": "Started on specific user logins."
},
"7": {
"caption": "Scheduled",
"description": "Stared according to a schedule."
},
"8": {
"caption": "System Changed",
"description": "Started when a system item, such as a file or registry key, changes."
},
"99": {
"caption": "Other",
"description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
}
},
"type": "integer_t",
"sibling": "start_type"
},
"startup_item": {
"caption": "Startup Item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"type": "startup_item"
},
"state": {
"caption": "State",
"description": "The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
Expand Down
13 changes: 13 additions & 0 deletions events/discovery/startup_item_query.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"caption": "Startup Item Query",
"description": "Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.",
"extends": "discovery_result",
"name": "startup_item_query",
"uid": 22,
"attributes": {
"startup_item": {
"group": "primary",
"requirement": "required"
}
}
}
20 changes: 20 additions & 0 deletions extensions/windows/objects/startup_item.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"caption": "Startup Item",
"name": "startup_item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"extends": "startup_item",
"attributes": {
"win_service": {
"description": "The startup item Windows service resource.",
"requirement": "optional"
}
},
"constraints": {
"just_one": [
"driver",
"job",
"process",
"win_service"
]
}
}
156 changes: 156 additions & 0 deletions objects/startup_item.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
{
"caption": "Startup Item",
"name": "startup_item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"attributes": {
"name": {
"description": "The unique name of the startup item.",
"requirement": "required"
},
"run_modes": {
"description": "The list of run_modes, normalized to the captions of the run_mode_id values. In the case of 'Other', they are defined by the event source.",
"requirement": "optional"
},
"run_mode_ids": {
"description": "The list of normalized identifiers that describe the startup items' properties when it is running. Use this field to capture extended information about the process, which may depend on the type of startup item. E.g., A Windows service that interacts with the desktop.",
"requirement": "optional",
"enum": {
"1": {
"caption": "Interactive",
"description": "The startup item interacts with the desktop."
},
"2": {
"caption": "Own Process",
"description": "The startup item runs in its own process."
},
"3": {
"caption": "Shared Process",
"description": "The startup item runs in a shared process."
}
}
},
"run_state": {
"description": "The run state of the startup item.",
"requirement": "optional"
},
"run_state_id": {
"description": "The run state ID of the startup item.",
"requirement": "recommended",
"enum": {
"1": {
"caption": "Stopped",
"description": "The service is not running."
},
"2": {
"caption": "Start Pending",
"description": "The service is starting."
},
"3": {
"caption": "Stop Pending",
"description": "The service is stopping."
},
"4": {
"caption": "Running",
"description": "The service is running."
},
"5": {
"caption": "Continue Pending",
"description": "The service is pending continue."
},
"6": {
"caption": "Pause Pending",
"description": "The service is pending pause."
},
"7": {
"caption": "Paused",
"description": "The service is paused."
},
"8": {
"caption": "Restart Pending",
"description": "The service is pending restart."
}
}
},
"start_type": {
"description": "The start type of the startup item.",
"requirement": "optional"
},
"start_type_id": {
"description": "The start type ID of the startup item.",
"requirement": "required"
},
"type": {
"caption": "Type",
"description": "The startup item type.",
"requirement": "optional",
"type": "string_t"
},
"type_id": {
"caption": "Type ID",
"description": "The startup item type identifier.",
"requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"1": {
"caption": "Kernel Mode Driver",
"description": "Kernel mode driver."
},
"2": {
"caption": "User Mode Driver",
"description": "User mode driver."
},
"3": {
"caption": "Service",
"description": "A background process typically managed by the operating system, e.g., a service process on Windows or a systemd-managed daemon on Linux."
},
"4": {
"caption": "User Mode Application",
"description": "An application that runs in the user space."
},
"5": {
"caption": "Autoload",
"description": "The macOS Autoload Application."
},
"6": {
"caption": "System Extension",
"description": "System extensions on macOS enables 3rd parties to extend the capabilities of macOS."
},
"7": {
"caption": "Kernel Extension",
"description": "Kernel extensions on macOS includes Apple provided pre-installs and 3rd party installs which enables support for specific hardware or software features not natively supported by macOS."
},
"8": {
"caption": "Scheduled Job, Task",
"description": "A job or task that runs on a configured schedule."
},
"99": {
"caption": "Other",
"description": "The startup item type is not mapped. See the <code>type</code> attribute, which contains data source specific values."
}
},
"type": "integer_t"
},
"driver": {
"description": "The startup item kernel driver resource.",
"requirement": "optional"
},
"job": {
"description": "The startup item job resource.",
"requirement": "optional"
},
"process": {
"description": "The startup item process resource.",
"requirement": "optional"
}
},
"constraints": {
"just_one": [
"driver",
"job",
"process"
]
}
}
Loading