Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Example: snapshot

Inputs

  • examples/inputs/snapshot-samples/system_state.txt

Profile

# System Snapshot Example
# Note: This demonstrates the --system-snapshot feature
# The actual snapshot captures live system state (processes, network, etc.)

decode = []

tag = "snapshot"

# Process patterns
[[patterns]]
  name = "Suspicious Process Name"
  pattern = "mimikatz|procdump|lazagne|rubeus"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Hidden"
  pattern = "powershell.*-w.*hidden"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Encoded PowerShell"
  pattern = "powershell.*-enc"
  type = "regex"
  case-insensitive = true

# Network patterns
[[patterns]]
  name = "Suspicious Port"
  pattern = ":4444|:5555|:1337|:31337"
  type = "regex"

[[patterns]]
  name = "Outbound Connection"
  pattern = "ESTABLISHED.*[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
  type = "regex"

# Module/DLL patterns
[[patterns]]
  name = "Suspicious DLL"
  pattern = "amsi\\.dll|clrjit\\.dll"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Reflective Loading"
  pattern = "clr\\.dll.*loaded"
  type = "regex"
  case-insensitive = true

Report outputs

Triage report (converted from triage_report.json)

total_files1
critical_count0
high_count0
medium_count0
low_count0
minimal_count1
must_investigate_count0
all_scoresNone
generated_at2025-12-03T09:19:44.817739057+00:00

top_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Other0False/system_state.txt151413["14 suspicious patterns detected"]Minimal28ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71

CSV outputs

errors.csv

Empty CSV

files.csv

pathfile_namesha256file_createdfile_modifiedfile_accessedmime_types_from_file_extensionis_symbolic_linkis_extracted_fileis_decoded_fileis_deobfuscated_filetag
/system_state.txtsystem_state.txtffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f712025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z2025-12-03T08:56:20.496889204Z["text/plain"]0000

pattern_matches.csv

idsha256pattern_namematch_typematchlocationlength
1ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Process Nameregexmimikatz8:178
2ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Process Nameregexmimikatz8:448
3ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Process Nameregexprocdump9:178
4ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Process Nameregexprocdump9:448
5ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71PowerShell Hiddenregexpowershell.exe, CommandLine: powershell -w hidden5:1749
6ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Encoded PowerShellregexpowershell.exe, CommandLine: powershell -w hidden -enc5:1754
7ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Portregex:444413:595
8ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Portregex:555514:575
9ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Portregex:133715:265
10ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious Portregex:3133716:266
11ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious DLLregexamsi.dll19:338
12ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious DLLregexamsi.dll19:698
13ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Suspicious DLLregexclrjit.dll20:3010
14ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71Reflective Loadingregexclr.dll, Status: loaded21:3023

signature_matches.csv

Empty CSV

unique_files.csv

sha256sha1md5file_sizemime_type_for_contentshannon_entropy
ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71d02f4f12e100aa1bbdea10dc5f79463d74d6e19e6c6797a5077959fc4637e4b556085bed1426text/plain5.19923754732871