Skip to content

Commit

Permalink
Adding the Startup Application Query event class in the discovery cat…
Browse files Browse the repository at this point in the history 
…egory. (#1119)

The Startup Application Query class captures the results of a discovery
on target devices.
This class was refactored from a previous submission, while
incorporating feedback from Paul.

#### Description of changes:
Made the Startup Application object more clear by factoring out
unrelated items in the type_id list.
The list now describes only the type of application.
A run_mode attribute was added as an array to capture the other items.
Also added a run_state to capture the state of the application at the
time the event was logged.

---------

Signed-off-by: maxhotta <[email protected]>
Co-authored-by: Rajas <[email protected]>
  • Loading branch information
@maxhotta @floydtree
maxhotta and floydtree authored Sep 4, 2024
1 parent c1ea8ff commit 2540764
Show file tree
Hide file tree
Showing 5 changed files with 272 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ Thankyou! -->
* #### Event Classes
1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
2. Added `Script Activity` event class to the System category. #1159
3. Added `Startup Item Query` event class. #1119

* #### Dictionary Attributes
1. Added `has_mfa` as a `boolean_t`. #1155

Expand Down
81 changes: 81 additions & 0 deletions dictionary.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3811,6 +3811,29 @@
"description": "The rules that reported the events.",
"type": "rule"
},
"run_mode_ids": {
"caption": "Run Mode IDs",
"description": "The list of normalized identifiers that describe application attributes when it is running. See specific usage.",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The run mode is unknown."
},
"99": {
"caption": "Other",
"description": "The run mode is not mapped. See the <code>run_modes</code> attribute, which contains data source specific values."
}
},
"is_array": true,
"sibling": "run_modes"
},
"run_modes": {
"caption": "Run Modes",
"description": "The list of run_modes, normalized to the captions of the run_mode_ids values. In the case of 'Other', they are defined by the event source. See specific usage.",
"type": "string_t",
"is_array": true
},
"run_state": {
"caption": "Run State",
"description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
Expand Down Expand Up @@ -4224,6 +4247,64 @@
"description": "The start time of a time period. See specific usage.",
"type": "timestamp_t"
},
"start_type": {
"caption": "Start Type",
"description": "The start type of a service, driver, or application.",
"type": "string_t"
},
"start_type_id": {
"caption": "Start Type ID",
"description": "The start type ID of a service or application.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The start type is unknown."
},
"1": {
"caption": "Auto",
"description": "Service started automatically during system startup."
},
"2": {
"caption": "Boot",
"description": "Device driver started by the system loader."
},
"3": {
"caption": "On Demand",
"description": "Started on demand. For example, by the Windows Service Control Manager when a process calls the <i>StartService</i> function."
},
"4": {
"caption": "Disabled",
"description": "The service is disabled, and cannot be started."
},
"5": {
"caption": "All Logins",
"description": "Started on all user logins."
},
"6": {
"caption": "Specific User Login",
"description": "Started on specific user logins."
},
"7": {
"caption": "Scheduled",
"description": "Stared according to a schedule."
},
"8": {
"caption": "System Changed",
"description": "Started when a system item, such as a file or registry key, changes."
},
"99": {
"caption": "Other",
"description": "The start type is not mapped. See the <code>start_type</code> attribute, which contains a data source specific value."
}
},
"type": "integer_t",
"sibling": "start_type"
},
"startup_item": {
"caption": "Startup Item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"type": "startup_item"
},
"state": {
"caption": "State",
"description": "The state of the event or object, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
Expand Down
13 changes: 13 additions & 0 deletions events/discovery/startup_item_query.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"caption": "Startup Item Query",
"description": "Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.",
"extends": "discovery_result",
"name": "startup_item_query",
"uid": 22,
"attributes": {
"startup_item": {
"group": "primary",
"requirement": "required"
}
}
}
20 changes: 20 additions & 0 deletions extensions/windows/objects/startup_item.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"caption": "Startup Item",
"name": "startup_item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"extends": "startup_item",
"attributes": {
"win_service": {
"description": "The startup item Windows service resource.",
"requirement": "optional"
}
},
"constraints": {
"just_one": [
"driver",
"job",
"process",
"win_service"
]
}
}
156 changes: 156 additions & 0 deletions objects/startup_item.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
{
"caption": "Startup Item",
"name": "startup_item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
"attributes": {
"name": {
"description": "The unique name of the startup item.",
"requirement": "required"
},
"run_modes": {
"description": "The list of run_modes, normalized to the captions of the run_mode_id values. In the case of 'Other', they are defined by the event source.",
"requirement": "optional"
},
"run_mode_ids": {
"description": "The list of normalized identifiers that describe the startup items' properties when it is running. Use this field to capture extended information about the process, which may depend on the type of startup item. E.g., A Windows service that interacts with the desktop.",
"requirement": "optional",
"enum": {
"1": {
"caption": "Interactive",
"description": "The startup item interacts with the desktop."
},
"2": {
"caption": "Own Process",
"description": "The startup item runs in its own process."
},
"3": {
"caption": "Shared Process",
"description": "The startup item runs in a shared process."
}
}
},
"run_state": {
"description": "The run state of the startup item.",
"requirement": "optional"
},
"run_state_id": {
"description": "The run state ID of the startup item.",
"requirement": "recommended",
"enum": {
"1": {
"caption": "Stopped",
"description": "The service is not running."
},
"2": {
"caption": "Start Pending",
"description": "The service is starting."
},
"3": {
"caption": "Stop Pending",
"description": "The service is stopping."
},
"4": {
"caption": "Running",
"description": "The service is running."
},
"5": {
"caption": "Continue Pending",
"description": "The service is pending continue."
},
"6": {
"caption": "Pause Pending",
"description": "The service is pending pause."
},
"7": {
"caption": "Paused",
"description": "The service is paused."
},
"8": {
"caption": "Restart Pending",
"description": "The service is pending restart."
}
}
},
"start_type": {
"description": "The start type of the startup item.",
"requirement": "optional"
},
"start_type_id": {
"description": "The start type ID of the startup item.",
"requirement": "required"
},
"type": {
"caption": "Type",
"description": "The startup item type.",
"requirement": "optional",
"type": "string_t"
},
"type_id": {
"caption": "Type ID",
"description": "The startup item type identifier.",
"requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"1": {
"caption": "Kernel Mode Driver",
"description": "Kernel mode driver."
},
"2": {
"caption": "User Mode Driver",
"description": "User mode driver."
},
"3": {
"caption": "Service",
"description": "A background process typically managed by the operating system, e.g., a service process on Windows or a systemd-managed daemon on Linux."
},
"4": {
"caption": "User Mode Application",
"description": "An application that runs in the user space."
},
"5": {
"caption": "Autoload",
"description": "The macOS Autoload Application."
},
"6": {
"caption": "System Extension",
"description": "System extensions on macOS enables 3rd parties to extend the capabilities of macOS."
},
"7": {
"caption": "Kernel Extension",
"description": "Kernel extensions on macOS includes Apple provided pre-installs and 3rd party installs which enables support for specific hardware or software features not natively supported by macOS."
},
"8": {
"caption": "Scheduled Job, Task",
"description": "A job or task that runs on a configured schedule."
},
"99": {
"caption": "Other",
"description": "The startup item type is not mapped. See the <code>type</code> attribute, which contains data source specific values."
}
},
"type": "integer_t"
},
"driver": {
"description": "The startup item kernel driver resource.",
"requirement": "optional"
},
"job": {
"description": "The startup item job resource.",
"requirement": "optional"
},
"process": {
"description": "The startup item process resource.",
"requirement": "optional"
}
},
"constraints": {
"just_one": [
"driver",
"job",
"process"
]
}
}

0 comments on commit 2540764

Please sign in to comment.